b'      United States Department of Agriculture\n\n\n\n\nOffice of Inspector General\nUSDA Office of the Chief\nInformation Officer, Fiscal Year 2013\nFederal Information Security\nManagement Act\n\n\n\n\n                                       50501-0004-12\n                                       November 2013\n\x0c                                       U.S. Department of Agriculture, Office of the Chief\n                                         Information Officer, Fiscal Year 2013 Federal\n                                             Information Security Management Act\n\n                                                     Audit Report 50501-0004-12\nWhat Were OIG\xe2\x80\x99s\nObjectives\nEvaluate USDA\xe2\x80\x99s overall IT\nsecurity program, compliance\nwith FISMA, and\neffectiveness of controls over\ncontinuous monitoring,             As required by FISMA, OIG reviewed\nconfiguration management,\nidentity and access                USDA\xe2\x80\x99s ongoing efforts to improve its\nmanagement, incident               IT security program and practices, as\nresponse, assessments and          of FY 2013.\nauthorizations, IT training,\nPlan of Action and Milestones,\nremote access management,          What OIG Found\ncontingency planning,\ncontractor systems, and            The Office of Inspector General (OIG) found that, although the\ncapital planning.                  Department of Agriculture (USDA) continues to improve the security\n                                   posture of its information technology (IT) infrastructure and\nWhat OIG Reviewed                  associated data, many longstanding weaknesses remain. In fiscal\nThe scope was Department-          years (FY) 2009 through 2012, OIG made 49 recommendations for\nwide and included agency IT        improving the overall security of USDA\xe2\x80\x99s systems, but only 19 of\naudit work completed during        these have been closed. We noted that the Office of the Chief\nFY 2013, other OIG audits          Information Officer (OCIO) is taking positive steps to improve its\ncompleted throughout the           security posture in the future. For example, OCIO released three key\nyear, and the results of reviews   Departmentwide policies in the latter part of FY 2013 and the\nperformed by contract              beginning of FY 2014. However, it is now critical that agencies\nauditors. This audit covered       create and implement agency-specific procedures based on\n11 agencies and staff offices,     Departmental policy. OCIO then needs to review the agencies\xe2\x80\x99\noperating 159 of the               implemented procedures to ensure compliance with USDA policy.\nDepartment\xe2\x80\x99s 246 major             Once this process is institutionalized throughout USDA, its security\nsystems.                           posture should improve and be sustainable in the future.\n\nWhat OIG Recommends                Again this year, we continue to report a material weakness in USDA\xe2\x80\x99s\n                                   IT security. The Department has not (1) developed policies,\nThe Department should              procedures or strategies for continuous monitoring or risk\ncontinue its progress by           management; (2) monitored agencies for compliance with baseline\nissuing critical policy and        configurations and ensured known vulnerabilities were fixed; (3)\ncompleting actions on the 30       deleted separated employees\xe2\x80\x99 access to computer systems; (4)\noutstanding recommendations        developed and implemented a policy to detect and remove\nfrom the FY 2009 through           unauthorized network connections; or (5) finalized and issued policy\n2012 FISMA audit reports and       for information security oversight of systems that contractors or other\nthe 6 new recommendations          entities operate on USDA\xe2\x80\x99s behalf, including systems and services\nincluded in this report.           residing in the cloud.\n\x0c\x0c                          United States Department of Agriculture\n                                 Office of Inspector General\n                                   Washington, D.C. 20250\n\n\n\n\nNovember 26, 2013\n\n\n\nThe Honorable Sylvia M. Burwell\nDirector\nOffice of Management and Budget\nEisenhower Executive Office Building\n17th Street and Pennsylvania Avenue NW\nWashington, D.C. 20503\n\nDear Ms. Burwell:\n\nEnclosed is a copy of our report, U.S. Department of Agriculture, Office of the Chief Information\nOfficer, Fiscal Year 2013 Federal Information Security Management Act (Audit Report 50501-\n0004-12), presenting the results of our audit of the Department of Agriculture\xe2\x80\x99s (USDA) efforts\nto improve the management and security of its information technology (IT) resources. USDA\nand its agencies have taken actions to improve the security over their IT resources; however,\nadditional actions are still needed to establish an effective security program.\n\nIf you have any questions, please contact me at (202) 720-8001, or have a member of your staff\ncontact Mr. Gil H. Harden, Assistant Inspector General for Audit, at (202) 720-6945.\n\nSincerely,\n\n\n\n\nPhyllis K. Fong\nInspector General\n\nEnclosure\n\x0c\x0cTable of Contents\n\nU.S. Department of Agriculture, Office of the Chief Information Officer,\nFiscal Year 2013 Federal Information Security Management Act ................... 1\nFindings and Recommendations............................................................................ 1\n         Recommendation 1 ........................................................................................8\n         Recommendation 2 ........................................................................................8\n         Recommendation 3 ........................................................................................8\n         Recommendation 4 ........................................................................................9\n         Recommendation 5 ........................................................................................9\n         Recommendation 6 ........................................................................................9\nBackground & Objectives .................................................................................... 10\nScope and Methodology ........................................................................................ 12\nAbbreviations ........................................................................................................ 14\nExhibit A: Office of Management and Budget /Department of Homeland\nSecurity Reporting Requirements and U. S. Department of Agriculture Office\nof Inspector General Position .............................................................................. 16\nExhibit B: Sampling Methodology and Projections ......................................... 48\n\x0c\x0cU.S. Department of Agriculture, Office of the Chief Information\nOfficer, Fiscal Year 2013 Federal Information\nSecurity Management Act\nFindings and Recommendations\nThis report constitutes the Office of Inspector General\xe2\x80\x99s (OIG) independent evaluation of the\nDepartment of Agriculture\xe2\x80\x99s (USDA) Information Technology (IT) security program and\npractices, as required by the Federal Information Security Management Act (FISMA) of 2002,\nand is based on the questions provided by the Office of Management and Budget\n(OMB)/Department of Homeland Security (DHS). These questions are designed to assess the\nstatus of the Department\xe2\x80\x99s security posture during fiscal year (FY) 2013. The OMB/DHS\nframework requires OIG to audit processes, policies, and procedures that had already been\nimplemented and documented, and were being monitored during FY 2013.\n\nWe noted that the Office of the Chief Information Officer (OCIO) is taking positive steps to\nimprove its security posture into the future. OCIO released three critical Departmentwide\npolicies in the latter part of FY 2013 and the beginning of FY 2014. However, because they\nwere not in effect for most of FY 2013, we could not evaluate the effects of these policies. This\nis a positive first step that will improve IT security within USDA. The second and most critical\nstep requires organizations to create agency-specific procedures based on Departmental\npolicy. The third and final step is for OCIO to review the agencies\xe2\x80\x99 compliance to ensure OCIO\npolicy is implemented. Once this three-step process is institutionalized throughout USDA, its\nsecurity posture should improve and be sustainable in the future. The degree to which USDA, as\na whole, complies with FISMA and other security guidance is based on individual agency\nperformance. If each agency is in compliance with the Department\xe2\x80\x99s policies, then USDA as a\nwhole will be FISMA compliant, and more secure. Also, USDA\xe2\x80\x99s National Information\nTechnology Center became compliant with the Federal Risk and Authentication Management\nProgram (FedRAMP) in June 2013, one year earlier than the mandatory date for being\ncompliant. 1\n\nUSDA is working to improve its IT security posture, but many longstanding weaknesses remain.\nWe continue to find that the OCIO has not implemented corrective actions that the Department\nhas committed to as part of the management decision process. In FYs 2009 through 2012, OIG\nmade 49 recommendations for improving the overall security of USDA\xe2\x80\x99s systems, but only 19 of\nthese have been closed. Of those 19 closed recommendations, our testing found 4 where\nweaknesses continue to exist.\n\nAs with compliance, USDA\xe2\x80\x99s security is only as good as the security of its individual agencies\nand staff offices. As part of our FY 2013 FISMA audit testing, we performed a vulnerability\n\n1\n The FedRAMP program supports the U.S. Government\xe2\x80\x99s objective to enable U.S. Federal agencies to use managed\nservice providers that enable cloud computing capabilities. OMB Memorandum, Security Authorization of\nInformation Systems in Cloud Computing Environments (December 8, 2011), established the FedRAMP compliance\ndate. FedRAMP is designed to comply with FISMA.\n\n                                                                    AUDIT REPORT 50501-0004-12            1\n\x0cassessment on seven agencies that were included in our 2008 through 2012 FISMA reviews to\ndetermine if each agency was mitigating its vulnerabilities in a timely manner and thus\nimproving its security posture. 2 We compared the average number of vulnerabilities per device\nidentified in our 2013 scans to the average number of vulnerabilities found during the previous\nFISMA reviews. For all seven agencies, the average number of vulnerabilities per device\nincreased\xe2\x80\x94in most cases the number doubled; and for three agencies, the number increased by\nover eight times. As a result of this, and the other findings in this report, IT continues to be a\nmaterial weakness for the Department.\n\nIn addition to the agencies not following policies and procedures, we continue to find instances\nwhen OCIO itself does not comply with regulations. For example, OMB defines a major IT\ninvestment as \xe2\x80\x9ca system or acquisition requiring special management attention because of its\nimportance to the mission or function of the agency, a component of the agency, or another\norganization.\xe2\x80\x9d However, in our review of a sample of major IT investments within USDA, we\nfound that an IT investment, which would provide email access and support for over 121,000\nUSDA email users via a cloud provider, was not considered major by the Department upon its\ninception in April 2010. The investment is being reclassified as a major IT investment for\nFY 2015. However, we believe it should have been considered a major IT investment from the\nstart, since it was important to the mission and function of the Department and required special\nmanagement attention. We also found that the Department did not document its rationale for not\nincluding it as a major investment. By not classifying it as a major investment in 2010, the\nDepartment did not record and report the information security resources required for the\ninvestment during the annual budgeting process for FYs 2011, 2012 and 2013.\n\nIn addition, we recommended in the FY 2012 FISMA audit that USDA modify the service\nagreement between the Department and the email cloud service provider to incorporate\nappropriate detail, outlining the roles and responsibilities of each party pertaining to incident\nresponse and reporting and to gain visibility into USDA\'s email system (i.e., so that the\nDepartment can view/monitor network traffic in the cloud system). FedRAMP requires agencies\nand cloud service providers to stipulate any specific incident reporting requirements, including\nhow to notify the agency and who to notify. USDA\xe2\x80\x99s current cloud service providers are\nrequired to become FedRAMP compliant by June 2014. However, when the cloud email\nservices contract was renegotiated and signed on September 30, 2013, we determined OCIO did\nnot take advantage of its contract renegotiation period. OCIO did not include incident response\nand reporting responsibilities detailed in FedRAMP guidance, incorporate our recommendation\nto add adequate detail to address incident reporting roles and responsibilities or monitoring\nrequirements to help safeguard USDA systems.\n\nUSDA is a large, complex organization that includes 34 separate agencies and staff offices, most\nwith their own IT infrastructure. OCIO and the 33 other agencies need to be held accountable\nfor implementing the Department\xe2\x80\x99s policies and procedures. If compliance by all agencies is\n\n\n2\n A vulnerability scan is the process of determining the presence of known vulnerabilities by evaluating the target\nsystem over the network. DM 3530-001, USDA Vulnerability Scan Procedures (July 20, 2005), requires that\nvulnerability scans are to be performed on a monthly basis for all existing and new networks, systems, servers, and\ndesktops by duly authorized users in accordance with established procedures.\n\n2     AUDIT REPORT 50501-0004-12\n\x0cattained, then FISMA testing results will be similar, regardless of which agency was selected and\ntested, and the Department\xe2\x80\x99s overall security posture would improve.\n\nThe following summarizes the key matters discussed in Exhibit A of this report, which contains\nOIG\xe2\x80\x99s responses to the OMB/DHS questions. These questions were defined on the DHS\nCyberScope FISMA reporting website.\n\nTo address the FISMA metrics, OIG reviewed systems and agencies, 3 OIG independent\ncontractor audits, annual agency self-assessments, and various OIG audits throughout the year. 4\nSince the scope of each review and audit differed, we could not use every review or audit to\naddress each question.\n\nDuring our review we found that USDA has not established a continuous monitoring program.\nSpecifically, we found that the Department has not issued a policy, strategies, or plans for\ncontinuous monitoring. Additionally, we found 72 of 246 systems where ongoing assessments\nof selected security controls had not been performed in FY 2013. In our FY 2010 FISMA report,\nOIG recommended that the Department develop policies, procedures, strategies, and\nimplementation plans for continuous monitoring. The Department concurred and stated it would\nhave a policy, procedures, strategy, and plans in place by September 30, 2011; however, the\nrecommendation remains open.\n\nThe Department has established, and is maintaining, a security configuration management\nprogram; however, there are opportunities for improvement. Specifically, we found that the\nDepartment has established adequate policy, and has made standard baseline configurations\navailable for all operating systems in use; however, agencies have not followed the policy or\nbaselines when configuring servers and workstations. Specifically, one agency that OCIO is\nresponsible for was not scanning over 83 percent of its devices on a monthly basis, while another\nagency was not scanning over 29 percent of its devices. We also found that all seven agencies\nwe reviewed did not have a process for timely remediation of scan result deviations. For\nexample, OIG used a commercially available vulnerability scan tool to test 7,104 devices within\nseven agencies to verify that vulnerabilities were mitigated timely. We found 25,813 high and\nmedium vulnerabilities were present and not corrected; 13,489 of these were over 7 months old.\nIn the FY 2010 FISMA audit, OIG recommended the Department ensure scanning for\ncompliance to the baseline configurations and for vulnerabilities be performed, as required by the\nNational Institute of Standards and Technology (NIST). This recommendation remains open;\nOCIO has exceeded its estimated implementation date of August 30, 2011. OCIO is currently\nworking on deploying a Departmentwide vulnerability scanner.\n\nThe Department has established an identity and access management program that is consistent\nwith FISMA requirements, OMB policy, and applicable NIST guidelines to identify users and\n\n3\n  One agency selected for FISMA review actually supports IT services for 12 other USDA agencies and offices.\n4\n  Agency annual self-assessments derive from OMB Circular A-123, which defines Management\xe2\x80\x99s Responsibilities\nfor Internal Control in Federal Agencies (December 21, 2004). The circular requires agency management to\nannually provide assurances on internal control in Performance and Accountability Reports. During annual\nassessments, agencies take measures to develop, implement, assess, and report on internal controls, and take action\non needed improvements.\n\n                                                                         AUDIT REPORT 50501-0004-12               3\n\x0cnetwork devices. For example, the Department has developed an account and identity\nmanagement policy that is compliant with NIST standards and has adequately planned for\nPersonal Identification Verification (PIV) implementation for logical access, in accordance with\nGovernment standards. 5 Additionally, agencies were able to identify devices, users, and\nnon-users who access the organization\xe2\x80\x99s systems and networks. Also, the Department is moving\ntowards a centralized enterprise solution for access management which should provide a\nstandardized system that automates network management. However, our testing identified\nopportunities for improvement. We found that agencies did not ensure that users were granted\naccess based on need and agencies did not ensure that accounts were terminated or deactivated\nonce access was no longer required. For example, we found 66 separated users in the two\nagencies that still had active accounts. Departmental policy requires that accounts be disabled\nwithin 48 hours of an employee\xe2\x80\x99s separation. Further testing identified three agencies that did\nnot mandate multi-factor authentication, as required. 6 In addition, three agencies that had\nimplemented multi-factor authentication were not using the organization\xe2\x80\x99s PIV card, as\nrequired. 7\n\nThe Department has established an incident response and reporting program that is consistent\nwith FISMA requirements, OMB policy, and applicable NIST guidelines. Although USDA\xe2\x80\x99s\nincident handling has improved, we continue to find that the Department is not consistently\nfollowing its own policy and procedures in regard to incident response and reporting. Our\nreview of 92 incidents disclosed that 24 incidents were not handled in accordance with\nDepartmental procedures. 8 Of the 24 incidents identified, USDA did not report 20 of the\nincidents to the United States-Computer Emergency Response Team (US-CERT) within the\nrequired timeframe. Of these incidents, 13 were the result of a lost or stolen device. These\nincidents were not promptly reported to OCIO\xe2\x80\x99s Incident Management Division (IMD). 9\nAdditional testing determined USDA has procured the tools to correlate incidents across the\nDepartment but has not deployed them effectively. As a result, USDA does not have the ability\nto correlate incidents across its entire network infrastructure. Based on tests of USDA\xe2\x80\x99s cloud\nprovider\xe2\x80\x99s traffic, discussions with USDA IT personnel, and our review of the cloud provider\xe2\x80\x99s\nservice agreement and incident plan, we also determined that the Department is not capable of\n\n5\n  The Executive Branch mandate entitled, Homeland Security Presidential Directive-12 (HSPD-12), originally\nissued in August 2004, requires Federal agencies to develop and deploy for all of their contract personnel and\nemployees a PIV credential, which is used as a standardized, interoperable card capable of being used as employee\nidentification and allows for both physical and information technology system access.\n6\n  Dual-factor (or multi-factor) authentication is a security process in which the user provides two means of\nidentification, one of which is typically a physical token, such as a card, and the other of which is typically\nsomething memorized, such as a security code. Departmental Regulation (DR) 3505-003, Access Control Policy\n(August 11, 2009), requires the use of dual or multi-factor authentication.\n7\n  Multi-factor authentication can also utilize a hardware token or virtual token or a smart card (PIV), ("something\nthe user has"), or a thumbprint or iris scanner ("something the user is"). HSPD-12 requires the use of the PIV card.\n8\n  Agriculture Security Operations Center (ASOC) Computer Incident Response Team (CIRT) Standard Operating\nProcedure SOP-ASOC-001, Standard Operating Procedures for Reporting Security and Personally Identifiable\nInformation Incidents (June 9, 2009).\n9\n  The US-CERT provides response support and defense against cyber-attacks for the Federal Civil Executive Branch\n(.gov) and information sharing and collaboration with State and local government, industry, and international\npartners. US-CERT is the operational arm of the National Cyber Security Division (NCSD) at DHS. NCSD was\nestablished by DHS to serve as the Federal Government\xe2\x80\x99s cornerstone for cyber security coordination and\npreparedness.\n\n4     AUDIT REPORT 50501-0004-12\n\x0cmanaging risks in this virtual/cloud environment. USDA lacks the ability to track cloud traffic,\nthe cloud service does not have its own Data Loss Prevention (DLP) solution deployed, and the\nservice agreement between USDA and its cloud service provider does not include the appropriate\nprovisions outlining the incident reporting roles and responsibilities for each party. 10\n\nWe found that OCIO is in the beginning phases of planning for risk management framework\n(RMF). Specifically, the Department does not have a RMF that incorporates all of the FISMA\nrequirements, OMB policy, and applicable NIST guidelines. 11 According to the Department, this\nwas due to lack of resources for OCIO\xe2\x80\x99s governance team. Agency officials are responsible for\nensuring all systems meet Federal and Departmental requirements and documenting agency\ncompliance in the Cyber Security Assessment and Management (CSAM) system. 12 OCIO is also\nresponsible for ensuring that agencies are compliant with Federal and Departmental guidance\nand reporting aggregate results during the annual FISMA reporting cycle. NIST transformed the\nassessment and authorization (A&A) process into a six-step RMF process. 13\n\nThe Department issued a guide that addresses parts of the six-step RMF process. The guide also\nclarifies the steps necessary to complete the A&A process. This process requires agencies to\nsubmit their systems\xe2\x80\x99 A&A packages and all supporting documents to the Department for an\nin-depth review (i.e., a concurrency review). During this review, USDA ensures that the\ndocumentation prepared to support system accreditation is complete, accurate, reliable, and\nmeets NIST and other mandated standards. Although the process has changed, we continue to\nfind:\n\n     \xe2\x80\xa2   USDA completed its in-depth document reviews and appropriately returned A&A\n         packages that did not meet NIST requirements to the agencies. However, we found that\n         improvements are still needed. Specifically, we found the following deficiencies in the\n         A&A packages reviewed by OCIO: (1) systems were not properly categorized;\n         (2) system security plan (SSP) controls were not implemented properly and did not\n\n10\n   DLP is the ability \xe2\x80\x9cto detect inappropriate transport of sensitive information and halt the traffic prior to leaving the\nnetwork. Examples of sensitive content are personal identifiers (e.g. credit card or Social Security numbers) or\ncorporate intellectual property.\xe2\x80\x9d\n11\n   The RMF is a NIST publication. The publication promulgates a common framework which is intended to\nimprove information security, strengthen risk management, and encourage reciprocity between Federal\nagencies. NIST Special Publication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework\nto Federal Information Systems (February 2010), was developed by the Joint Task Force Transformation Initiative\nWorking Group. OMB M-04-25, FY 2004 Reporting Instructions for the Federal Information Security Management\nAct (August 23, 2004).\n12\n   CSAM is a comprehensive system developed by the Department of Justice, which can facilitate achieving FISMA\ncompliance. CSAM provides a vehicle for the Department, agencies, system owners, and security staffs to\n(1) manage their system inventory, interfaces, and related system security threats and risks; (2) enter system security\ndata into a single repository to ensure all system security factors are adequately addressed; (3) prepare annual system\nsecurity documents, such as security plans, risk analyses, and internal security control assessments; and (4) generate\ncustom and pre-defined system security status reports to effectively and efficiently monitor each agency\xe2\x80\x99s security\nposture and FISMA compliance. This includes agency-owned systems as well as those operated by contractors on\nthe agency\xe2\x80\x99s behalf.\n13\n   A&A is the new terminology for the former C&A process mandated by OMB Circular A-130, Appendix III,\nSecurity of Federal Automated Information Resources (November 28, 2000). The process requires that IT system\ncontrols be documented and tested by technical personnel and that the system be granted a formal authority to\noperate (ATO) by an agency official.\n\n                                                                             AUDIT REPORT 50501-0004-12                 5\n\x0c          sufficiently address each control; and (3) security assessment reports (SAR) did\n          not include an authorized security assessment plan (SAP). 14 As a result, USDA cannot\n          be assured that all system controls were documented and tested, and that systems were\n          operating at an acceptable level of risk.\n\n     \xe2\x80\xa2    In order for a system to become operational, NIST 800-37 requires USDA agencies to\n          follow the RMF process to obtain an authority to operate (ATO) and to effectively\n          manage risk for their systems. In order for an ATO to be granted, systems are\n          categorized, controls are identified and implemented, risk are assessed, and the final\n          concurrency review is examined to proceed with accreditation. We found an OCIO\n          parent system in the development stage with four child systems that were operational\n          with no ATO. 15 The Department said these systems were needed for USDA operations\n          and therefore would operate without an ATO for business reasons. We found another\n          five systems that were operational with no ATO. Furthermore, the Department has\n          27 systems with expired ATOs, including CSAM, the Department\xe2\x80\x99s system repository.\n          As a result, these systems are operational, but without proper security certification, which\n          leaves the agencies and the Department vulnerable because the systems have not been\n          through proper security testing.\n\nThe Department has established a security training program that is consistent with FISMA\nrequirements, OMB policy, and applicable NIST guidelines. The Department\xe2\x80\x99s policy met all\nNIST requirements for annual security awareness training. 16 However, we identified\nopportunities for improvement. Specifically, USDA does not have policy and procedures to\ngovern specialized security (role-based) training for personnel with significant information\nsecurity responsibilities. NIST states that before allowing individuals access to the application,\nall individuals should receive specialized training focused on their responsibilities. The\nDepartment\xe2\x80\x99s new policy, which includes guidance for Specialized Security Awareness Training,\nwas officially published on October 22, 2013. 17\n\nThe Department has established a plan of action and milestones (POA&M) program that is\nconsistent with FISMA requirements, OMB policy, and applicable NIST guidelines and tracks\n\n\n\n\n14\n   The SSP is a required A&A document that provides an overview of the security requirements of the system and\ndescribes the controls in place (or planned) for meeting those requirements. The SSP also delineates the\nresponsibilities and expected behavior of all individuals who access the system. NIST SP 800-18, Guide for\nDeveloping Security Plans for Federal Information Systems (February 2006). The results of the security control\nassessment, including recommendations for correcting any weaknesses or deficiencies in the controls, are\ndocumented in the SAR.\n15\n   A parent system owns, manages, and/or controls the child system. This example is a general security system. It\nhas multiple children beneath it that do various specific security functions, such as vulnerability scanning and\nnetwork monitoring.\n16\n   NIST SP800-53 Rev. 3, Recommended Security Controls for Federal Information Systems and Organizations\n(August 2009).\n17\n   DR 3545-001, Information Security Awareness and Training Policy (October 22, 2013).\n\n6        AUDIT REPORT 50501-0004-12\n\x0cand monitors known information security weaknesses. 18 However, our testing identified some\ndeficiencies. For example, four agencies did not create POA&Ms for vulnerabilities existing for\nover 30 days as required by Departmental policy. 19 This occurred because the Department\xe2\x80\x99s\nsecurity manual did not include a policy for establishing a POA&M process until September 25,\n2013. In addition, our review of POA&Ms within CSAM found that agencies were not\nadequately detailing plans for remediation and were not including proper supporting\ndocumentation for effective closure. We found that 128 of the 869 POA&Ms that were closed\nduring FY 2013 had remediation actions that did not sufficiently address the identified weakness.\nWe also noted that priority levels are not being identified in CSAM for each POA&M, and that\nmilestone dates were not always adhered to.\n\nThe Department has established a remote access program that is consistent with FISMA\nrequirements and OMB policy. In addition, the Department is implementing an enterprise\nsolution for remote access which should provide centralized management once fully\nimplemented. However, our testing identified that Departmental policies for remote access and\nteleworking did not meet NIST requirements. Specifically, we found both agencies reviewed did\nnot have a fully developed remote access policy or procedures. This occurred because the\nagencies either had a policy or procedures, but not both. In our FY 2010 FISMA report, we\nrecommended that the Department update its policy and procedures to be NIST-compliant. This\nrecommendation is still open and OCIO has exceeded its estimated completion date of August\n31, 2011. We also found that while the Department and agencies were monitoring, detecting,\nand reporting unauthorized (rogue) network connections, there are no documented policies that\nrequire it. This occurred because the Departmental policy was still in draft and has not been\nissued. USDA requires multi-factor authentication for all remote access (i.e., two means of\nidentification). 20 However, one of two agencies reviewed did not have it properly implemented.\nThis occurred because, although the enterprise solution for two-factor authentication\n(LincPass) is implemented and available, it is not required and therefore not being used\nDepartmentwide. Also, the agencies\' inability to distribute the PIV cards limits their\nparticipation. Two other agencies were found through contractor audits or agency self-reports as\nnot having implemented multi-factor authentication.\n\nThe Department has established and is maintaining an enterprise-wide business\ncontinuity/disaster recovery program. However, our testing identified opportunities for\nimprovement. Specifically, Departmentwide, we found that 89 of 243 systems were not testing\n\n\n\n18\n   A POA&M is a tool that identifies tasks needing to be accomplished to assist agencies in identifying, assessing,\nprioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs and\nsystems. It details resources required to accomplish the elements of the plan, milestones for meeting the tasks, and\nscheduled completion dates for the milestones. The goal of a POA&M should be to reduce the risk of the weakness\nidentified.\n19\n   DM 3530-001 requires a POA&M to be developed in accordance with Federal Information Security Management\nAct (FISMA) reporting requirements for any unresolved critical vulnerabilities existing for more than 30 days from\nthe date of the scan.\n20\n   Multi-factor authentication is a security process in which the user provides two means of identification, one of\nwhich is typically a physical token, such as a card, and the other is typically something memorized, such as a\nsecurity code. In this context, the two factors involved are sometimes referred to as \xe2\x80\x9c\xe2\x80\x98something you have\xe2\x80\x99 and\n\xe2\x80\x98something you know.\xe2\x80\x99\xe2\x80\x9d\n\n                                                                         AUDIT REPORT 50501-0004-12               7\n\x0ccontingency/disaster plans annually, as required by NIST and the Department. 21 We found the\ntemplate provided to agencies for contingency planning purposes was updated, available to the\nagencies, and contained all of the NIST-required elements. In addition, during our detailed\ntesting at two agencies, we found that all 20 of those plans were developed with the appropriate\ninformation required by NIST.\n\nThe Department does not have a program in place, a documented policy, or fully developed\nprocedures to oversee systems operated on its behalf by contractors or other entities, including\norganization systems and services residing in the cloud. OCIO has had a policy in draft\nfor 4 years that is not yet finalized. Due to the lack of policies and procedures in the\nDepartment, we found one system was not included in the inventory of contractor systems. In\naddition, FISMA requires USDA to maintain an inventory of its information systems that, among\nother information, identifies interfaces between other agency systems. We reviewed\ndocumentation for 15 contractor systems in CSAM and, as noted above, found 5 systems with\nexpired ATOs, insufficient interconnection documentation for 3 systems, and missing\nauthorizing signatures for 14 systems.\n\nOur testing of USDA\xe2\x80\x99s capital planning process determined the Department has established and\nmaintains a capital planning and investment program for information security. However, testing\ndetermined that USDA does not maintain sufficient documentation to support its annual IT\ninvestment budgetary requests. Therefore, agencies could not support the amounts requested\nduring the annual budgeting process.\n\nThe following recommendations are new for FY 2013. Because 30 recommendations from\nFY 2009 through 2012 have not been closed, we have not made any repeat recommendations. If\nthe plans initiated to close out the FY 2009 through 2012 recommendations are no longer\nachievable, due to budget cuts or other reasons, then OCIO needs to update those closure plans\nand request a change in management decision, in accordance with Departmental guidance.\n\nRecommendation 1\nRequire agencies to perform annual assessments of system security controls in accordance with\nRMF procedures.\n\nRecommendation 2\nMonitor agencies\' workstations for United States Government Configuration Baseline (USGCB)\ncompliance, servers for NIST baseline compliance, and verify that deviations are documented,\napproved, and on file with the Department.\n\nRecommendation 3\nValidate the system inventory, annually.\n\n21\n  Systems Inventory as of October 28, 2013. USDA Contingency Plan Exercise Handbook, Rev 1.1 (February\n2011).\n\n8     AUDIT REPORT 50501-0004-12\n\x0cRecommendation 4\nDevelop and implement a policy to detect and remove unauthorized (rogue) network\nconnections.\n\nRecommendation 5\nFinalize and issue policy for information security oversight of all systems that contractors or\nother entities operate on the organization\xe2\x80\x99s behalf, including systems and services residing in the\ncloud.\n\nRecommendation 6\nDocument decisions regarding classification of IT investments in order to meet OMB standards.\n\n\n\n\n                                                               AUDIT REPORT 50501-0004-12         9\n\x0cBackground & Objectives\nBackground\nImproving the overall management and security of IT resources needs to be a top priority for\nUSDA. Technology enhances users\xe2\x80\x99 abilities to share information instantaneously among\ncomputers and networks, but it also makes organizations\xe2\x80\x99 networks and IT resources vulnerable\nto malicious activity and exploitation by internal and external sources. Insiders with malicious\nintent, recreational and institutional hackers, and attacks by foreign intelligence organizations are\na few of the threats to the Department\xe2\x80\x99s critical systems and data.\n\nOn December 17, 2002, the President signed into law the e-Government Act (Public Law\n107-347), which includes Title III, FISMA. FISMA permanently reauthorized the framework\nestablished by the Government Information Security Reform Act (GISRA) of 2000, which\nexpired in November 2002. FISMA continued the annual review and reporting requirements\nintroduced in GISRA, and also included new provisions that further strengthened the Federal\nGovernment\xe2\x80\x99s data and information systems security, such as requiring the development of\nminimum control standards for agencies\xe2\x80\x99 systems. NIST was tasked to work with agencies in\ndeveloping standards as part of its statutory role in providing technical guidance to Federal\nagencies.\n\nFISMA also supplements the information security requirements established in the Computer\nSecurity Act of 1987, the Paperwork Reduction Act of 1995, and the Clinger-Cohen Act of 1996.\nThe Act is consistent with existing information security guidance issued by OMB and NIST.\nMore importantly, however, FISMA consolidated these separate requirements and guidance into\nan overall framework for managing information security. It established new annual reviews,\nindependent evaluations, and reporting requirements to ensure agency compliance. It also\nprovided for both OMB and Congressional oversight.\n\nFISMA assigned specific responsibilities to OMB, agency heads, Chief Information Officers\n(CIO), and Inspectors General. OMB is responsible for establishing and overseeing policies,\nstandards, and guidelines for information security. The responsibilities include the authority to\napprove agencies\xe2\x80\x99 information security programs. OMB also requires the submittal of an annual\nreport to Congress summarizing the results of agencies\' evaluations of their information security\nprograms. Instructions for FY 2013 FISMA are outlined in the OMB M-14-04 Fiscal Year 2013\nReporting Instructions for the Federal Information Security Management Act and Agency\nPrivacy Management and DHS uses the website CyberScope to consolidate the reporting.\n\nEach agency must establish a risk-based information security program that ensures information\nsecurity is practiced throughout the lifecycle of each agency\xe2\x80\x99s system. Specifically, the agency\xe2\x80\x99s\nCIO must oversee this program, which, following OMB Memorandum 07-24, must include:\n\n     \xe2\x80\xa2   periodic risk assessments that consider internal and external threats to the integrity,\n         confidentiality, and availability of systems and data supporting critical operations and\n         assets;\n\n\n10       AUDIT REPORT 50501-0004-12\n\x0c   \xe2\x80\xa2   development and implementation of risk-based, cost-effective policies and procedures to\n       provide security protections for the agency\xe2\x80\x99s information;\n   \xe2\x80\xa2   training that covers security responsibilities for information security personnel and\n       security awareness for agency personnel;\n   \xe2\x80\xa2   periodic management testing and evaluation of the effectiveness of security policies,\n       procedures, controls, and techniques;\n   \xe2\x80\xa2   processes for identifying and remediating significant security deficiencies;\n   \xe2\x80\xa2   procedures for detecting, reporting, and responding to security incidents; and\n   \xe2\x80\xa2   annual program reviews by agency officials.\n\nIn addition, FISMA requires each agency to have an annual independent evaluation of its\ninformation security program and practices, including control testing and compliance\nassessment. The evaluations are to be performed by the agency\xe2\x80\x99s Inspector General or an\nindependent evaluator, and the results of these evaluations are to be reported to OMB.\n\nObjectives\n\nThe objective of this audit was to evaluate the status of USDA\xe2\x80\x99s overall IT security program by\nevaluating the:\n\n   \xe2\x80\xa2   effectiveness of the Department\xe2\x80\x99s oversight of agencies\xe2\x80\x99 IT security programs, and\n       compliance with FISMA;\n   \xe2\x80\xa2   agencies\xe2\x80\x99 systems of internal controls over IT assets;\n   \xe2\x80\xa2   Department\xe2\x80\x99s progress in establishing a Departmentwide security program, which\n       includes effective assessments and authorizations;\n   \xe2\x80\xa2   agencies\xe2\x80\x99 and the Department\xe2\x80\x99s POA&M consolidation and reporting process; and the\n       effectiveness of controls over configuration management, incident response, IT training,\n       remote access management, identity and access management, continuous monitoring,\n       contingency planning, contractor systems and IT capital planning.\n\n\n\n\n                                                           AUDIT REPORT 50501-0004-12        11\n\x0cScope and Methodology\nThe scope of our review was Departmentwide and included agency IT audit work completed\nduring FY 2013. We conducted this audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objectives.\n\nFieldwork for this audit was performed remotely at USDA locations throughout the continental\nUnited States from December 2012 through November 2013. In addition, this report\nincorporates audits done throughout the year by OIG. Testing was conducted at offices in the\nWashington, D.C. and Kansas City, Missouri, areas. Additionally, we included the results of IT\ncontrol testing and compliance with laws and regulations performed by contract auditors at eight\nadditional USDA agencies. In total, our FY 2013 audit work covered 11 agencies and staff\noffices:\n\n     \xe2\x80\xa2   Agricultural Research Service,\n     \xe2\x80\xa2   Departmental Management,\n     \xe2\x80\xa2   Foreign Agricultural Service,\n     \xe2\x80\xa2   Food and Nutrition Service,\n     \xe2\x80\xa2   Farm Service Agency,\n     \xe2\x80\xa2   Food Safety and Inspection Service,\n     \xe2\x80\xa2   National Agricultural Statistics Service,\n     \xe2\x80\xa2   Natural Resources Conservation Service,\n     \xe2\x80\xa2   Office of the Chief Financial Officer,\n     \xe2\x80\xa2   OCIO, and\n     \xe2\x80\xa2   Risk Management Agency.\n\nThese agencies and staff offices operate 159 of the Department\xe2\x80\x99s 246 general support and major\napplication systems.\n\nTo accomplish our audit objectives, we performed the following procedures:\n\n     \xe2\x80\xa2   Consolidated the results and issues from our prior IT security audit work and the work\n         contractors performed on our behalf. Contractor audit work consisted primarily of audit\n         procedures found in the U.S. Government Accountability Office\xe2\x80\x99s (GAO) Financial\n         Information System Control Audit Manual;\n     \xe2\x80\xa2   Performed detailed testing specific to FISMA requirements at selected agencies, as\n         detailed in this report.\n     \xe2\x80\xa2   Gathered the necessary information to address the specific reporting requirements\n         outlined in the OMB Memorandum M-14_04 Fiscal Year 2013 Reporting Instructions\n         for the Federal Information Security Management Act and Agency Privacy Management\n         and the DHS CyberScope FISMA Reporting Website.\n     \xe2\x80\xa2   Evaluated the Department\xe2\x80\x99s progress in implementing recommendations to correct\n         material weaknesses identified in prior OIG and GAO audit reports;\n\n12       AUDIT REPORT 50501-0004-12\n\x0c   \xe2\x80\xa2   Performed statistical sampling on testing where appropriate. Additional sample analysis\n       information is presented in Exhibit B.\n\nWe compared test results against NIST controls, OMB/DHS guidance, e-Government Act\nrequirements, and Departmental policies and procedures for compliance.\n\n\n\n\n                                                          AUDIT REPORT 50501-0004-12        13\n\x0cAbbreviations\nA&A ............................ Assessment and Authorization\nARS ............................. Agricultural Research Service\nASOC .......................... Agriculture Security Operations Center\nATO ............................ Authority to Operate\nBIA .............................. Business Impact Analysis\nC&A ............................ Certification and Accreditation\nCIO .............................. Chief Information Officer\nCIRT ........................... Computer Incident Response Team\nCISO ........................... Chief Information Security Office\nCPIC ............................ Capital Planning and Investment Control\nCPD ............................. Capital Planning Division\nCPO ............................. Cyber Policy Oversight\nCSAM ......................... Cyber Security Assessment and Management\nDHS............................. Department of Homeland Security\nDLP ............................. Data Loss Prevention\nDM .............................. Departmental Manual\nDoD ............................. Department of Defense\nDR ............................... Departmental Regulation\nFCIC ............................ Federal Crop Insurance Corporation\nFDCC .......................... Federal Desktop Core Configurations\nFedRAMP ................... Federal Risk and Authorization Management Program\nFISMA ........................ Federal Information Security Management Act\nFS ................................ Forest Service\nFY ............................... Fiscal Year\nGAO ............................ Government Accountability Office\nGISRA......................... Government Information Security Reform Act\nHSPD-12 ..................... Homeland Security Presidential Directive-12\nIMD ............................. Incident Management Division\nIP ................................. Internet Protocol\nISCM ........................... Information Security Continuous Monitoring\nIT ................................. Information Technology\nITS............................... International Technology Services\nMOU ........................... Memorandum of Understanding\nNCSD .......................... National Cyber Security Division\nNIST ............................ National Institute of Standards and Technology\nNITC ........................... National Information Technology Center\nOCIO ........................... Office of the Chief Information Officer\nOIG ............................. Office of Inspector General\nOMB ........................... Office of Management and Budget\nPIV .............................. Personal Identification Verification\nPOA&M ...................... Plan of Action and Milestone\nRMF ............................ Risk Management Framework\nSAP ............................. Security Assessment Plan\nSAR ............................. Security Assessment Report\n\n14     AUDIT REPORT 50501-0004-12\n\x0cSOP ............................. Standard Operating Procedure\nSP ................................ Special Publication\nSSP .............................. System Security Plan\nTT&E .......................... Test, Training, and Exercise\nUSGCB ....................... United States Government Configuration Baseline\nUS-CERT .................... US-Computer Emergency Response Team\nUSDA.......................... Department of Agriculture\n\n\n\n\n                                                              AUDIT REPORT 50501-0004-12   15\n\x0cExhibit A: Office of Management and Budget /Department of\nHomeland Security Reporting Requirements and U. S. Department\nof Agriculture Office of Inspector General Position\nOMB/DHS\xe2\x80\x99 questions are set apart using boldface type in each section. OIG checks items on\nOMB/DHS\xe2\x80\x99 list, boldfacing and underlining the relevant text. We answer direct questions with\neither Yes or No.\n\nThe universe of systems and agencies reviewed varied during each audit or review included in\nthis report. As part of FISMA, OIG reviewed: systems and agencies, audit work conducted for\nOIG by independent public accounting firm contractors, annual agency self-assessments, and\nvarious OIG audits conducted throughout the year. 22 Since the scope of each review and audit\ndiffered, we could not use every review or audit to answer each question.\n\nThe audit team reviewed all 11 FISMA areas. We incorporated statistical sampling into four\nFISMA areas. Each of the four areas was represented by the relevant universe associated with it.\nThe specific sample designs are summarized in Exhibit B.\n\nS1: Continuous Monitoring Management\n\n1.1 Has the organization established an enterprise-wide continuous monitoring program\nthat assesses the security state of information systems that is consistent with FISMA\nrequirements, OMB policy, and applicable NIST guidelines? - No\n\nBesides the improvement opportunities that may have been identified by the OIG, does the\nprogram include the following attributes?\n\n1.1.1 Documented policies and procedures for continuous monitoring\n(NIST SP 800-53: CA-7). - No\n\nThe Department has developed the risk management framework (RMF) guidance and is\ncurrently working on a Departmental Regulation (DR) policy entitled Security Assessment and\nAuthorization in regards to continuous monitoring. However, this DR is still in draft and has not\nbeen implemented. Both the RMF and draft DR are pieces of the continuous monitoring\nstrategy, but there is no over-arching continuous monitoring policy or procedures within the\nDepartment. We also identified one of two agencies reviewed that did not have an agency policy\nin place. 23\n\n\n22\n   Agency annual self-assessments are a result of OMB Circular A-123, Management\xe2\x80\x99s Responsibility for\nInternal Control (December 21, 2004), which defines management\xe2\x80\x99s responsibility for internal controls in\nFederal agencies. The Circular requires agencies\xe2\x80\x99 management to annually provide assurances on internal control in\nits Performance and Accountability Report. During the annual assessment, agencies take measures to develop,\nimplement, assess, and report on internal control, and to take action on needed improvements.\n23\n   NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems and Organizations\n(August 2009). CA-7 requires the organization to establish a continuous monitoring strategy and program.\n\n16      AUDIT REPORT 50501-0004-12\n\x0c1.1.2 Documented strategy and plans for continuous monitoring\n(NIST SP 800-37 Rev 1, Appendix G). - No\n\nThe Department provided a strategy for developing an enterprise-wide continuous monitoring\nplan. However, this strategy was in draft and has not been implemented. OCIO also provided\nOIG with the USDA Information Security Continuous Monitoring Program Charter. This\ndocument contains objectives and milestones that OCIO would like to achieve in order to\nimprove continuous monitoring within agencies and the Department. Additionally, the\nDepartment has a variety of continuous monitoring tools that have helped benefit its security\nposture. For example, the Department has a network tool, and although not fully operational, it\nwas actively monitoring for malicious activity within the USDA network. 24 One agency we\nreviewed met with the Agriculture Security Operations Center (ASOC) on a regular basis to\ndiscuss the security incidents found with this tool. Furthermore, USDA has been actively using\nanother tool to help standardize and centralize the governance workstations and servers.\n\n1.1.3 Ongoing assessments of security controls (system-specific, hybrid, and common) that\nhave been performed based on the approved continuous monitoring plans\n(NIST SP 800-53, NIST 800-53A). - No\n\nWe identified 72 of 246 systems where ongoing assessments of selected security controls had not\nbeen performed in FY 2013. 25 The agencies that own these systems cannot ensure that controls\nremain effective over time, as changes occur in threats, missions, environments of operation, and\ntechnologies.\n\n1.1.4 Provides authorizing officials and other key system officials with security status\nreports covering updates to security plans and security assessment reports, as well as a\ncommon and consistent POA&M program that is updated with the frequency defined in\nthe strategy and/or plans (NIST SP 800-53, 800-53A). - No\n\nWe found that one of two agencies was unable to verify that the required information was\nprovided to the authorizing official or other key system officials.\n\nIn the FY 2010 FISMA report, we recommended that the Department ensure system authorizing\nofficials and other key system officials are provided with security status reports covering updates\nto security plans and security assessment reports, as well as POA&M additions. The\nrecommendation remains open and exceeded the estimated completion date of September 30,\n2011.\n\n\n\n\n24\n   When a sensor is not inline, traffic does not flow through the sensor. The sensor instead analyzes a copy of the\nmonitored traffic. The advantage of operating this way is that the sensor does not affect network performance. The\ndisadvantage of operating in this mode, however, is the sensor cannot actively stop malicious traffic from reaching\nits intended target. The response actions implemented by the sensor devices are post-event responses.\n25\n   The 246 major applications were reported in CSAM as of October 21, 2013.\n\n                                                                       AUDIT REPORT 50501-0004-12               17\n\x0c1.2 Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s\nContinuous Monitoring Management Program that was not noted in the questions above.\n\nNo additional information to provide.\n\n\nS2: Configuration Management\n\n2.1 Has the organization established a security configuration management program that is\nconsistent with FISMA requirements, OMB policy, and applicable NIST guidelines? - Yes\n\nBesides the improvement opportunities that may have been identified by the OIG, does the\nprogram include the following attributes?\n\n2.1.1 Documented policies and procedures for configuration management. - Yes\n\nNo exception noted. NIST requires that the organization develop formal documented procedures\nto facilitate the implementation of the configuration management policy and associated\nconfiguration management controls. 26 OIG found the configuration management program\nincludes adequate documented policies and procedures at both the Department and agency level.\n\n2.1.2 Defined standard baseline configurations. - Yes\n\nNo exception noted. The Department follows the NIST configuration baseline guides. 27\n\n2.1.3 Assessments of compliance with baseline configurations. - No\n\nNIST requires the organization to develop, document, and maintain a current baseline\nconfiguration of the information system. We found that two of two agencies reviewed did not\nconfigure servers in accordance with the NIST requirements. Specifically, we found that over\n89 percent of the settings on the Windows servers at both agencies were not compliant with the\nbaseline guides provided by NIST. In addition, two other agencies self-reported a deficiency\nwith baseline configurations.\n\nIn the FY 2009 FISMA report, we recommended that the Department implement effective\npolicies and procedures to ensure agencies use required NIST and Departmental configuration\nchecklists and document the reasons for those settings not implemented. OCIO has exceeded its\nestimated completion date of July 30, 2011. Also, in the FY 2010 FISMA report, we\nrecommended that the Department ensure documented configuration management procedures are\ndeveloped and consistently implemented across the Department, including baseline\nconfigurations for all approved software and hardware. Any changes to the baseline guides\n\n\n26\n   NIST SP 800-53 Rev. 3, control CM-1 requires that a formal documented configuration management policy and\nprocedures be developed.\n27\n   NIST SP 800-70 Rev. 2, National Checklist Program for IT Products\xe2\x80\x94Guidelines for Checklist Users and\nDevelopers Recommendations (February 2011).\n\n18      AUDIT REPORT 50501-0004-12\n\x0cshould be documented and approved. OCIO has exceeded its estimated completion date of\nSeptember 30, 2011.\n\n2.1.4 Process for timely, as specified in organization policy or standards, remediation of\nscan result deviations. - No\n\nWe found that seven of seven agencies reviewed did not have a process for timely remediation of\nscan result deviations. 28 Specifically, OIG used a commercially available vulnerability scan tool\nto test 7,104 devices within seven agencies to verify that vulnerabilities were managed timely.\nWe found 25,813 high and medium vulnerabilities were present and not corrected; 13,489 of\nthese were over 7 months old. As a result, networks and devices within the Department are at\nincreased risk of being compromised.\n\n2.1.5 For Windows-based components, USGCB secure configuration settings are fully\nimplemented, and any deviations from USGCB baseline settings are fully documented. - No\n\nNIST requires the organization to establish and document mandatory security configuration\nsettings for information technology products employed within the information system. Two such\nrequirements are the Federal Desktop Core Configurations (FDCC) secure configurations for\nuser workstations and laptops 29 and the United States Government Configuration Baseline\n(USGCB) which evolved from the FDCC mandate to provide guidance to agencies on what\nshould be done to improve and maintain effective configuration settings, focusing primarily on\nsecurity. We found that two of two agencies reviewed did not fully implement FDCC/USGCB\nsecure configuration settings and document all deviations from baseline settings. Specifically, in\nthe agencies tested we found a total of 537,112 FDCC/USGCB settings that should have been\nimplemented; however, 195,481 (36 percent) of the settings were not in compliance with those\nstandards. These missing standards make the laptops and workstations less secure and users\nmore susceptible to compromise.\n\nIn the FY 2009 FISMA report, OIG recommended the Department complete the FDCC\ndeployment and ensure all FDCC deviations are documented by the agencies. Final action has\nbeen achieved; however, this problem continues.\n\n2.1.6 Documented proposed or actual changes to hardware and software configurations. -\nNo\n\nNIST requires the organization to document approved configuration-controlled changes to the\nsystem. Our review did not identify any issues with documented proposed or actual changes to\n\n\n\n28\n   A vulnerability scan is the process of determining the presence of known vulnerabilities by evaluating the target\nsystem over the network. Departmental Manual (DM) 3530-001, USDA Vulnerability Scan Procedures (July 20,\n2005), requires that vulnerability scans are to be performed on a monthly basis for all existing and new networks,\nsystems, servers, and desktops by duly authorized users in accordance with established procedures.\n29\n   OMB Memorandum 07-11, Implementation of Commonly Accepted Security Configurations for Windows\nOperating Systems (March 22, 2007), requires agencies to adopt the security configurations developed by NIST, the\nDepartment of Defense, and DHS.\n\n                                                                       AUDIT REPORT 50501-0004-12                19\n\x0chardware and software configurations. However, the A-123 self-inspection identified\nthree of eight agencies self-reported deficiencies with configuration change control testing.\n\n2.1.7 Process for timely and secure installation of software patches. - No\n\nNIST requires the organization to identify and correct system flaws and incorporate flaw\nremediation (known as vendor patches) into the organizational configuration management\nprocess. 30 We found five of seven agencies reviewed did not have an implemented process for\nthe timely and secure installation of software patches. Specifically, OIG found 293 high and\nmedium vulnerabilities where the corrective action was to apply a vendor issued patch; in 271 of\nthe 293 instances, patches were available for at least 7 months but the agency had not installed\nthem.\n\nIn the FY 2010 FISMA report, OIG recommended that the Department develop automated\nprocedures for the timely and secure installation of software patches. The recommendation is\nstill open, and OCIO has exceeded its estimated completion date of June 15, 2011.\n\n2.1.8 Software assessing (scanning) capabilities are fully implemented\n(NIST SP 800-53: RA-5, SI-2). - No\n\nDM 3530-001 requires all agencies to establish and implement procedures for accomplishing\nvulnerability scanning of all networks, systems, servers, and desktops for which they have\nresponsibility. This includes performing monthly scans and remediating vulnerabilities found as\na result of the scans. We found two of two agencies reviewed did not implement scanning\ncapabilities, as required. Specifically, one agency was not scanning 1,275 of 1,530 devices\nmonthly (83.33 percent).\n\nIn the FY 2009 FISMA report, OIG recommended that the Department develop and implement\nan effective monthly FISMA scorecard to be used for agency reporting and Departmental\noversight. We also recommended that USDA ensure that the scorecard includes verifiable items\nsuch as vulnerability scanning, patching, anti-virus reports, and training. Final action has been\nachieved, but this problem continues. In the FY 2010 FISMA report, OIG recommended that the\nDepartment ensure scanning is performed as required by NIST for compliance with the baseline\nconfigurations and for vulnerabilities. This recommendation is open and has exceeded the\nestimated completion date of September 30, 2011. OCIO is currently working on deploying a\nDepartmentwide vulnerability scanner.\n\nIn addition, OIG recommended in the FY 2011 FISMA report that the Department develop\nmonitoring procedures to verify that monthly vulnerability scans are completed as required by\nDepartmental guidance. Management decision has not been reached.\n\n\n\n\n30\n  A patch is a small piece of software that is used to correct a problem with a software program or an operating\nsystem. Most major software companies will periodically release patches, usually downloadable from the internet,\nthat correct very specific problems or security flaws in their software programs.\n\n20      AUDIT REPORT 50501-0004-12\n\x0c2.1.9 Configuration-related vulnerabilities, including scan findings, have been remediated\nin a timely manner, as specified in organization policy or standards.\n(NIST SP 800-53: CM-4, CM-6, RA-5, SI-2) - No\n\nNIST requires Federal agencies to establish and document mandatory configuration settings for\ninformation technology products employed within the information system, and to implement the\nrecommended configuration settings. OIG found that two of two agencies reviewed did not\nremediate configuration vulnerabilities. Specifically, we found 733 configuration-related\nvulnerabilities on 646 network devices. 31 In addition, we found 6,089 configuration-related\nvulnerabilities on 6 websites maintained by the agencies. 32 Consequently, the devices and\nwebsites are at risk for compromise.\n\nIn the FY 2011 FISMA report, OIG recommended the Department develop monitoring\nprocedures to verify that all Department and agency network devices are configured in\naccordance with NIST. Management decision has been reached with an estimated completion\ndate of September 30, 2013.\n\n2.1.10 Patch management process is fully developed, as specified in organization policy or\nstandards. (NIST SP 800-53: CM-3, SI-2). - No\n\nNIST requires Federal agencies to incorporate vendor software flaw remediation (patches) into\nthe organizational configuration management process. We found that four of four agencies\nreviewed did not have a fully developed patch management process. Specifically, as noted in\nour response to question 2.1.7, we found 271 of 293 high and medium vulnerabilities were\npresent on USDA devices where the patches were available for 7 months or more, but the\nagencies had not applied them. As a result, USDA devices are susceptible to compromise.\n\n2.2 Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s\nConfiguration Management Program that was not noted in the questions above.\n\nNo additional information to provide.\n\n\nS3: Identity and Access Management\n\n3.1 Has the organization established an identity and access management program that is\nconsistent with FISMA requirements, OMB policy, and applicable NIST guidelines and\nwhich identifies users and network devices? - Yes\n\nBesides the improvement opportunities that have been identified by the OIG, does the\nprogram include the following attributes?\n\n\n31\n   We utilized a commercially available software package designed to test security and configuration policies to\nanalyze agency network devices for compliance with FISMA requirements.\n32\n   We utilized a commercially available software package designed to thoroughly analyze web applications and web\nservices (websites) for security vulnerabilities.\n\n                                                                     AUDIT REPORT 50501-0004-12              21\n\x0c3.1.1 Documented policies and procedures for account and identity management\n(NIST SP 800-53: AC-1). - Yes\n\nNo exception noted. We found that the Department\'s current policy is substantially compliant\nand procedures at the two agencies we reviewed met NIST SP 800-53.\n\n3.1.2 Identifies all users, including Federal employees, contractors, and others who access\norganization systems (NIST SP 800-53, AC-2). - No\n\nWe found that one of the two agencies reviewed did not identify all users, including Federal\nemployees, contractors, and others who access USDA systems. Additionally, one agency\nself-reported deficiencies in this area. For example, one agency does not segregate Federal\nemployees, contractors, and others who access the organization systems in its user access\nmanagement database. However, the agency stated this was a priority to address in FY 2014, as\nthey move to the Department\xe2\x80\x99s new enterprise user access management database system. The\nother agency reported that a system it owned did not distinguish between guest and temporary\naccounts and they could not be properly identified with the incomplete user account attribute\ndata available.\n\n3.1.3 Identifies when special access requirements (e.g., multifactor authentication) are\nnecessary. - No\n\nCurrently, the Department requires agencies to implement multi-factor authentication for all\nforms of remote access to agency information systems. 33 However, we found one of two\nagencies reviewed by OIG did not have multi-factor authentication properly implemented.\nAdditionally, two agencies self-reported deficiencies in this area. One agency reviewed was\nusing the Departmental LincPass system for remote access; however, users were still able to use\ntheir username and password to perform authentication remotely.\n\n3.1.4 If multi-factor authentication is in use, it is linked to the organization\'s PIV program\nwhere appropriate (NIST SP 800- 53, IA-2). - No\n\nWe found that one of two agencies reviewed by OIG did not use multi-factor authentication\nlinked to the Department\xe2\x80\x99s Personal Identification Verification (PIV) credentials program. 34 In\naddition, two agencies self-reported deficiencies in this area. One agency was using the PIV\ncards for remote access; however, users were still able to use their username and password to\nperform authentication remotely. Inadequate security controls over special access requirements\ncould result in the unauthorized access, use, disclosure, modification, or destruction of\ninformation.\n\n33\n   Departmental Regulation (DR) 3505-003, Access Control Policy (August 11, 2009). Multi-factor authentication is\na security process in which the user provides two means of identification, one of which is typically a physical token,\nsuch as a card, and the other is typically something memorized, such as a security code. In this context, the two\nfactors involved are sometimes spoken of as \xe2\x80\x9csomething you have\xe2\x80\x9d and \xe2\x80\x9csomething you know.\xe2\x80\x9d\n34\n   The Executive Branch mandate entitled, Homeland Security Presidential Directive 12 (HSPD-12), originally\nissued in August 2004, requires Federal agencies to develop and deploy for all of their contract personnel and\nemployees a PIV credential which is used as a standardized, interoperable card capable of being used as employee\nidentification and allows for both physical and information technology system access.\n\n22      AUDIT REPORT 50501-0004-12\n\x0c3.1.5 Organization has planned for implementation of PIV for logical access in accordance\nwith government policies (HSPD 12, FIPS 201, OMB M-05-24, OMB M-07-06,\nOMB M-08-01, OMB M-11-11). - No\n\nWe found that one of two agencies reviewed did not use PIV cards for logical access in\naccordance with Government policies. This occurred because the agency was not able to provide\nevidence that supported that it had a plan for PIV card implementation.\n\n3.1.6 Organization has adequately planned for implementation of PIV for physical access\nin accordance with government policies (HSPD 12, FIPS 201, OMB M-05-24,\nOMB M-07-06, OMB M-08-01, OMB M-11-11). - No\n\nOIG found that one of two agencies was unable to provide evidence of adequate planning.\n\n3.1.7 Ensures that the users are granted access based on needs and separation-of-duties\nprinciples. - No\n\nOIG testing found no exceptions in granting access based on needs and separation-of-duties in\nthe agencies we reviewed. However, three agencies were reported in contractor reviews and two\nagencies self-reported deficiencies in this area. As a result, accounts have excessive privileges\nwhich may result in the unauthorized access, misuse, disclosure, disruption, modification, or\ndestruction of information.\n\n3.1.8 Identifies devices with IP addresses that are attached to the network and distinguishes\nthese devices from users (For example: IP phones, faxes, printers are examples of devices\nattached to the network that are distinguishable from desktops, laptops or servers that\nhave user accounts). - Yes\n\nNo exception noted. OIG found that all agencies reviewed were able to provide evidence that\ntheir Identity and Access Management program identified devices with Internet Protocol (IP)\naddresses that are attached to the network.\n\n3.1.9 Identifies all user and non-user accounts (Refers to user accounts that are on a\nsystem). Data user accounts are created to pull generic information from a database or a\nguest/anonymous account for generic login purposes. They are not associated with a single\nuser or a specific group of users.) - Yes\n\nNo exception noted. OIG found that all agencies reviewed were able to identify user and non-\nuser accounts.\n\n3.1.10 Ensures that accounts are terminated or deactivated once access is no longer\nrequired. - No\n\nOIG found that two of the two agencies reviewed did not ensure that accounts were terminated or\ndeactivated once access was no longer required. In addition, three of seven agencies were also\nreported in contractor reviews as not terminating or deactivating accounts once access was no\n\n                                                            AUDIT REPORT 50501-0004-12        23\n\x0clonger required. Additionally, three of eight agencies self-reported deficiencies in this area. For\nexample, we found 66 separated users in the two agencies that still had active accounts. This\noccurred because the agencies reviewed used a manual process to determine which accounts to\nterminate, leaving the process prone to errors. This process is also not considered a timely way\nof tracking and reporting separated employees. Departmental policy states that accounts should\nbe disabled within 48 hours of an employee\xe2\x80\x99s separation. The agencies are not properly\nterminating users when access is no longer required, which may result in the unauthorized\naccess, misuse, disclosure, disruption, modification, or destruction of information.\n\n3.1.11 Identifies and controls use of shared accounts. - Yes\n\nNo exception noted. OIG determined that all agencies reviewed, identified, and controlled\nshared accounts.\n\n3.2 Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s\nIdentity and Access Management Program that was not noted in the questions above.\n\nNo additional information to provide.\n\n\nS4: Incident Response and Reporting\n\n4.1 Has the organization established an incident response and reporting program that is\nconsistent with FISMA requirements, OMB policy, and applicable NIST guidelines? - Yes\n\nBesides the improvement opportunities that may have been identified by the OIG, does the\nprogram include the following attributes?\n\n4.1.1 Documented policies and procedures for detecting, responding to, and reporting\nincidents (NIST SP 800-53: IR-1). - No\n\nWe found that Departmental policy and procedures met all of the NIST requirements. 35\nHowever, our review of two agencies found that one agency had not developed procedures and\nthe other agency had procedures, but they were not current.\n\n4.1.2 Comprehensive analysis, validation and documentation of incidents. - No\n\nOur review found that 24 of 92 incidents were not handled in accordance with Departmental\nprocedures. 36 Based on our overall sample results we estimate that 530 incidents (26 percent of\n\n\n\n35\n  NIST SP 800-61, Computer Security Incident Handling Guide (March 2008).\n36\n  We based our sample size on a 40 percent error rate and a desired absolute precision of +/-10 percent, at the 95\npercent confidence level. With these assumptions, we calculated a sample size of 92 incidents for review and\nselected them by choosing a simple random sample. Additional sample design information is presented in\nExhibit B.\n\n24      AUDIT REPORT 50501-0004-12\n\x0cthe universe) were not handled in accordance with Departmental procedures. 37 For example,\nagencies are required to submit documentation to the Department, detailing the steps taken to\nclose out the incident. Specific documents and completed forms are required to be returned to\nthe Department; however, we found that 5 of the 24 incidents had either incomplete incident\ndocumentation or did not include the required documentation outlined in the procedures. For\nexample, four incidents did not complete the required incident identification form.\n\n4.1.3 When applicable, reports to US-CERT within established timeframes\n(NIST SP 800-53, 800-61, and OMB M-07-16, M-06-19). - No\n\nThe US-Computer Emergency Response Team (US-CERT) requires USDA to notify it of\nincidents within specified timeframes, based on the category of the incident. 38 We reviewed a\nstatistical sample of incidents that disclosed USDA had not reported 20 of 92 incidents to\nUS-CERT within the required timeframe, 13 of which were the result of a lost or stolen device\nthat were not promptly reported to OCIO\xe2\x80\x99s Incident Management Division (IMD). 39 Based on\nour overall sample results, we estimate that 460 incidents (22.4 percent of the universe), were not\nreported to US-CERT as required. 40 For example, US-CERT requires actual or potential PII\nincidents to be reported within one hour, which includes lost or stolen equipment; however, we\nfound that an agency did not report a lost equipment incident to IMD (to forward to US-CERT)\nfor 26 days. 41 Additionally, we found one lost equipment incident that was not reported to\nUS-CERT at all. ASOC was unable to verify if US-CERT was notified of this incident.\n\n4.1.4 When applicable, reports to law enforcement within established timeframes\n(NIST SP 800-61). - No\n\nWe found 1 of 4 (25 percent) of tested incidents were not reported to law enforcement as\nrequired.\n\n4.1.5 Responds to and resolves incidents in a timely manner, as specified in organization\npolicy or standards, to minimize further damage (NIST SP 800-53, 800-61,\nand OMB M-07-16, M-06-19). - Yes\n\nNo exception noted.\n\n37\n   We are 95 percent confident that between 344 (17 percent of the universe) and 716 (35 percent of the universe)\nFY incidents were not handled in accordance with Departmental procedures. Additional sample design information\nis presented in Exhibit B.\n38\n   US-CERT provides response support and defense against cyber-attacks for the Federal Civil Executive Branch\n(.gov) and information sharing and collaboration with State and local government, industry, and international\npartners. US-CERT is the operational arm of NCSD at DHS. NCSD was established by DHS to serve as the\nFederal Government\xe2\x80\x99s cornerstone for cyber security coordination and preparedness.\n39\n   We based our sample size on a 40 percent error rate and desired absolute precision of +/-10 percent, at the 95\npercent confidence level. With these assumptions, we calculated a sample size of 92 incidents for review and\nselected them by choosing a stratified sample. Additional sample design information is presented in Exhibit B.\n40\n   We are 95 percent confident that between 283 (13.8 percent of the universe) and 637 (31 percent of the universe)\nincidents in FY were not reported to US-CERT as required. Additional sample design information is presented in\nExhibit B.\n41\n   Lost equipment is defined as a lost or stolen laptop, smartphone, or other electronic device that is issued to USDA\nemployees for performance of the employees\xe2\x80\x99 day-to-day responsibilities.\n\n                                                                         AUDIT REPORT 50501-0004-12               25\n\x0c4.1.6 Is capable of tracking and managing risks in a virtual/cloud environment, if\napplicable. - No\n\nWe conducted testing to determine if USDA is capable of tracking and managing risks in a\nvirtual/cloud environment. Based on the test traffic we sent to and received from the cloud\nprovider, discussions with USDA IT personnel, and our review of the cloud provider\xe2\x80\x99s\nagreements and incident plan, we determined that USDA is not capable of managing risks in a\nvirtual/cloud environment. 42 USDA lacks the ability to track cloud traffic, the cloud email\nsolution does not have a deployed Data Loss Prevention (DLP) solution, and the service\nagreement between USDA and its cloud service provider does not include the appropriate detail\noutlining the roles and responsibilities for each party. 43\n\nIn the FY 2012 FISMA audit, we recommended that USDA modify the service agreement\nbetween the Department and the email cloud service provider to incorporate appropriate detail,\noutlining the roles and responsibilities of each party pertaining to incident response and\nreporting. Additionally, the Department should work with the cloud provider to gain visibility\ninto USDA\'s email system (i.e., so that the Department can view/monitor network traffic in the\ncloud system). Also, a Federal initiative, the Federal Risk and Authorization Management\nProgram (FedRAMP), effective June 2014, requires agencies and cloud service providers to\nstipulate any specific incident reporting requirements, including who to notify and how to notify\nthe agency. 44 USDA\xe2\x80\x99s current cloud service providers are required to become compliant by\nJune 2014.\n\nAlthough our review was conducted prior to the June 2014 deadline, the cloud email services\ncontract was renegotiated and signed on September 30, 2013. We determined USDA did not\ntake advantage of its contract renegotiation period to include adequate detail within the contract\nto address incident reporting roles and responsibilities, nor did it include monitoring\nrequirements to help safeguard USDA systems.\n\n4.1.7 Is capable of correlating incidents. - No\n\nBased on our testing, we determined that, although the Department has the capability to monitor\nand correlate incidents for the incident response and reporting within USDA, the current security\ntools do not see nor capture all network traffic.\n\n\n\n\n42\n   The test traffic generated was an email message that was sent from a USDA cloud-based email account to a test\nGoogle email account (Gmail). The e-mail message contained an unencrypted spreadsheet that included 50\nfictitious names, fictitious social security numbers, and fictitious credit card numbers. When the e-mail was sent, it\nwas sent to the Cloud Service Provider through the USDA network and subsequently received by the Gmail account\nfrom the Cloud Service Provider.\n43\n   DLP is the ability \xe2\x80\x9cto detect inappropriate transport of sensitive information. Examples of sensitive content are\npersonal identifiers (e.g. credit card or social security numbers) or corporate intellectual property.\xe2\x80\x9d\n44\n   The FedRAMP program supports the U.S. Government\xe2\x80\x99s objective to enable U.S. Federal agencies to use\nmanaged service providers that enable cloud computing capabilities. The program is designed to comply with\nFISMA.\n\n26      AUDIT REPORT 50501-0004-12\n\x0cIn the FISMA 2011 and 2012 reports, OIG recommended the Department deploy adequate\nresources to monitor and configure new security tools and then adequately report and close the\nrelated incidents. Management decision has not been reached on the FY 2011 recommendation,\nbut has been reached on the FY 2012 recommendation, with an estimated completion date of\nSeptember 30, 2013.\n\n4.1.8 Has sufficient incident monitoring and detection coverage in accordance with\ngovernment policies (NIST SP 800-53, 800-61; OMB M-07-16, M-06-19). - Yes\n\nNo exception noted. Our review of the Department\xe2\x80\x99s incident monitoring and detection coverage\ndetermined that it has sufficient incident detection and monitoring coverage.\n\n4.2 Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s\nIncident Management Program that was not noted in the questions above.\n\nNo additional information to provide.\n\n\nS5: Risk Management\n\n5.1 Has the organization established a risk management program that is consistent with\nFISMA requirements, OMB policy, and applicable NIST guidelines? - No\n\nBesides the improvement opportunities that may have been identified by the OIG, does the\nprogram include the following attributes?\n\n5.1.1 Documented policies and procedures for risk management, including descriptions of\nthe roles and responsibilities of participants in this process. - No\n\nThe Department does not have a finalized risk management policy. The Department does\nhave procedures, but it lacks some required elements. For example, the procedures are missing\nguidance for an authorization termination date. This date is established by the authorizing\nofficial to indicate when the security authorization expires. 45 The Department is in the process\nof making revisions and addressing missing requirements and enhancements to the procedures.\nWithout a policy, the Department does not have a consistent and effective approach to risk\nmanagement that is applied to all risk management processes and procedures.\n\nIn the FISMA 2011 report, OIG recommended the Department develop a risk management\npolicy and associated procedures that fully comply with NIST. Management decision has been\nreached with an estimated completion date of September 30, 2013.\n\n\n\n45\n  USDA Six Step Risk Management Framework Process Guide (July 2011). NIST SP 800-37 Rev. 1, Guide for\nApplying the Risk Management Framework to Federal Information Systems (February 2010), states that\norganizational officials must identify the resources necessary to complete the risk management tasks described in\nthis publication and ensure that those resources are made available to appropriate personnel.\n\n                                                                       AUDIT REPORT 50501-0004-12               27\n\x0c5.1.2 Addresses risk from an organization perspective with the development of a\ncomprehensive governance structure and organization-wide risk management strategy as\ndescribed in NIST SP 800-37, Rev.1. - No\n\nThe Department has not developed an organization-wide risk management strategy that\naddresses risk from an organizational perspective. According to OCIO officials, funding was\nreduced for the team responsible for the development and implementation of the governance\nproject, which included the RMF strategy.\n\n5.1.3 Addresses risk from a mission and business process perspective and is guided by the\nrisk decisions from an organizational perspective, as described in\nNIST SP 800-37, Rev. 1. - No\n\nAs noted in questions 5.1.1 and 5.1.2, the Department does not have a policy, adequate\nprocedures, a governance structure, or an organizational risk management strategy. Therefore, it\nhas not defined the risks from a mission and business process perspective in order to address\nthem from an organizational perspective.\n\n5.1.4 Addresses risk from an information system perspective and is guided by the risk\ndecisions from an organizational perspective and the mission and business perspective, as\ndescribed in NIST SP 800-37, Rev. 1. - No\n\nAs noted in questions 5.1.1 and 5.1.2, the Department does not have policies, adequate\nprocedures, a governance structure, and an organizational risk management strategy. Therefore,\nofficials have not defined the information system risks necessary to address them from a mission\nand business perspective.\n\n5.1.5 Has an up-to-date system inventory. - No\n\nThe Department does not have an up-to-date system inventory. We found a contractor system\nnot recorded in the Cyber Security Assessment and Management (CSAM) system. 46 In addition,\nthe required system inventory reconciliation was not completed this year because the system that\nwas used in previous reconciliations was retired. 47 Currently, there is not a way for USDA to\nensure that all systems are recorded in CSAM and that USDA has an accurate inventory.\n\n\n\n\n46\n   CSAM is a comprehensive system developed by the Department of Justice, which can help in achieving FISMA\ncompliance. CSAM provides a vehicle for the Department, agencies, system owners, and security staffs to (1)\nmanage their system inventory, interfaces, and related system security threats and risks; (2) enter system security\ndata into a single repository to ensure all system security factors are adequately addressed; (3) prepare annual system\nsecurity documents, such as security plans, risk analyses, and internal security control assessments; and (4) generate\ncustom and predefined system security status reports to effectively and efficiently monitor each agency\xe2\x80\x99s security\nposture and FISMA compliance. This includes agency-owned systems or those operated by contractors on the\nagency\xe2\x80\x99s behalf.\n47\n   FISMA requires an inventory to be kept and maintained at least annually.\n\n28      AUDIT REPORT 50501-0004-12\n\x0c5.1.6 Categorizes information systems in accordance with government policies. - No\n\nWe generated a report from CSAM which identified the impact level for each of the\nDepartment\xe2\x80\x99s systems. The report included the impact levels for confidentiality, integrity, and\navailability, which were categorized as high, moderate, and low. 48 If any one of the impact\nlevels are high, for instance, then the system must be categorized as a high system. We\ncompared the generated report to the recommended categorization levels in NIST and found 18\nof 233 systems were not properly categorized. 49 These systems had a lower categorization rating\nthan was recommended, without adequate justification. 50 NIST requires that any adjustments to\nthe recommended impact levels be documented and include justification for the adjustment.\n\n5.1.7 Selects an appropriately tailored set of baseline security controls. - No\n\nNIST SP 800-53 recommends a set of minimum baseline security controls to be implemented\nbased on a system\xe2\x80\x99s overall categorization. The lower the category, the fewer required controls.\nTherefore, the incorrect categorization noted in 5.1.6 led to inadequate controls being\nimplemented for those 18 systems. NIST SP 800-60 states that an incorrect information system\nimpact analysis can result in the agency either overprotecting the information system (thereby\nwasting valuable security resources), or under-protecting the information system and placing\nimportant operations and assets at risk.\n\n5.1.8 Implements the tailored set of baseline security controls and describes how the\ncontrols are employed within the information system and its environment of operation. -\nNo\n\nAs noted in 5.1.6, the incorrect categorization noted in 5.1.7 led to inadequate controls being\nimplemented for those 18 systems.\n\n5.1.9 Assesses the security controls using appropriate assessment procedures to determine\nthe extent to which the controls are implemented correctly, operating as intended, and\nproducing the desired outcome with respect to meeting the security requirements for the\nsystem. - No\n\nWe found that security controls were not implemented correctly. Specifically, systems\xe2\x80\x99 security\ncontrols did not include sufficient support for implementation. For example, for 15 of 15\nsystems reviewed, the controls involving security awareness training, incident response, or\nprogram management were described as inherited. However, these controls could not be\ninherited. The Department requires the agencies to develop specific procedures on how the\norganization will implement these types of controls.\n\n\n48\n   FISMA (44 U.S.C. Section 3542) defines integrity as guarding against improper information modification or\ndestruction, and includes ensuring information on repudiation and authenticity. Confidentiality is defined as\npreserving authorized restrictions on access and disclosure, including means for protecting personal privacy and\nproprietary information. Availability is defined as ensuring timely and reliable access to and use of information.\n49\n   Systems inventory as of September 3, 2013.\n50\n   NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, Vol. 1\n(August 2008).\n\n                                                                      AUDIT REPORT 50501-0004-12              29\n\x0c5.1.10 Authorizes information system operation based on a determination of the risk to\norganizational operations and assets, individuals, other organizations, and the Nation\nresulting from the operation of the information system and the decision that this risk is\nacceptable. - No\n\nThe Department does not authorize information system operation based on a determination of the\nrisk to organizational operations and assets. We found 5 systems operational with no authority to\noperate (ATO), and 27 systems with expired ATOs that were operational. We also found a\nparent system identified as being in development, but the system had four child systems that\nwere operational without ATO\xe2\x80\x99s. 51 This occurred because the Department felt that the systems\nneeded to be operational for business needs.\n\nIn the FY 2009 FISMA report, OIG recommended that the Department develop and implement\nan effective certification & accreditation (C&A) process based on NIST guidance and ensure that\nall systems have the proper ATO. 52 This recommendation reached final action; however, we\nfound that the same issue still exists.\n\n5.1.11 Ensures information security controls are monitored on an ongoing basis including\nassessing control effectiveness, documenting changes to the system or its environment of\noperation, conducting security impact analyses of the associated changes, and reporting the\nsecurity state of the system to designated organizational officials. - No\n\nNIST SP 800-53 states that the organization will assess the security controls in an information\nsystem as part of the testing/evaluation process. However, as noted in 1.1.3, we identified 72\nof 246 systems where ongoing assessments of selected security controls had not been performed\nin FY 2013. 53\n\n5.1.12 Information-system-specific risks (tactical), mission/business-specific risks, and\norganizational-level (strategic) risks are communicated to appropriate levels of the\norganization. - No\n\nAs noted in 5.1.1-5.1.4, the Department does not have policies, adequate procedures, a\ngovernance structure, or an organizational risk management strategy with defined risks in place.\nTherefore, we were unable to determine if the information-system-specific risks were\ncommunicated to appropriate levels of the organization.\n\n\n\n\n51\n   Total number of systems generated out of CSAM as of September 3, 2013.\n52\n   The assessment & authorization (A&A) is the new terminology for the former certification and accreditation\nprocess mandated by OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources\n(November 28, 2000). The process requires that IT system controls be documented and tested by technical\npersonnel and that the system be given formal ATO by an agency official.\n53\n   Systems Inventory as of October 21, 2013.\n\n30      AUDIT REPORT 50501-0004-12\n\x0c5.1.13 Senior officials are briefed on threat activity on a regular basis by appropriate\npersonnel (e.g., CISO). - Yes\n\nNo exception noted. The Department briefs appropriate personnel through weekly activity\nreports.\n\n5.1.14 Prescribes the active involvement of information system owners and common control\nproviders, chief information officers, senior information security officers, authorizing\nofficials, and other roles as applicable in the ongoing management of information\nsystem-related security risks. - Yes\n\nNo exception noted. The RMF guide prescribes the active involvement of appropriate personnel.\n\n5.1.15 Security authorization package contains system security plan, security assessment\nreport, and POA&M in accordance with government policies.\n(NIST SP 800-18, 800-37). - No\n\nThe system security plans (SSP) we reviewed were inadequate and not in accordance with\nGovernment policies. 54 We found 15 of 15 SSPs did not meet the minimum security\nrequirements required by NIST SP 800-53. Specifically, these systems\xe2\x80\x99 security controls did not\ninclude sufficient support for implementation. For instance, we found controls that had not been\nassessed and the agencies did not have evidence to support why the controls were not assessed.\n\nWe also reviewed 15 of the Department\xe2\x80\x99s security assessment reports (SARs) and found that all\ndid not meet the minimum security required by NIST SP 800-37. 55 Specifically, NIST\nSP 800-37 requires a security assessment plan (SAP) to be included with the SAR, which\nprovides the objectives for the security control assessment, a detailed roadmap of how to conduct\nthe assessment. We found during our review three of the three SAPs that had fully completed\nthe assessment & authorization (A&A) process had not been approved or authorized. As a\nresult, USDA cannot be assured that all system controls had been documented and tested, and\nthat systems were operating at an acceptable level of risk.\n\nAs noted in 7.1.6 USDA, POA&Ms did not meet Federal guidelines.\n\n5.1.16 Security authorization package contains accreditation boundaries, defined in\naccordance with government policies, for organization information systems. - No\n\nDuring our review of SSP\xe2\x80\x99s we verified that system accreditation boundaries were accurately\ndefined in accordance with Government policies. We found 4 of 15 systems did not adequately\n\n\n\n54\n   NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems (February 2006), requires\nthe SSP as part of the A&A documentation. It provides an overview of the security requirements of the system and\ndescribes the controls in place (or planned) for meeting those requirements. The SSP also delineates responsibilities\nand expected behavior of all individuals who access the system.\n55\n   The results of the security control assessment, including recommendations for correcting any weaknesses or\ndeficiencies in the controls, are documented in the SAR.\n\n                                                                        AUDIT REPORT 50501-0004-12               31\n\x0cdefine and/or explain the system boundaries. Unclear boundaries can lead to confusion over\nresponsibility for system components.\n\n5.2 Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s\nRisk Management Program that was not noted in the questions above.\n\nNo additional information to provide.\n\n\nS6: Security Training\n\n6.1 Has the organization established a security training program that is consistent with\nFISMA requirements, OMB policy, and applicable NIST guidelines? - Yes\n\nBesides the improvement opportunities that may have been identified by the OIG, does the\nprogram include the following attributes?\n\n6.1.1 Documented policies and procedures for security awareness training\n(NIST SP 800-53: AT-1). - Yes\n\nWe determined the Department and two of the two reviewed agencies\xe2\x80\x99 security awareness\npolicies and procedures met all the requirements outlined in NIST SP 800-53 for FY 2013. 56\n\nIn the FY 2011 FISMA report, OIG recommended that the Department develop monitoring\nprocedures to appropriately report the status of USDA employees being trained to meet their\ninformation security awareness needs. This recommendation reached management decision, but\nhas exceeded the estimated completion date of September 30, 2013.\n\n6.1.2 Documented policies and procedures for specialized training for users with significant\ninformation security responsibilities. - No\n\nThe Department\xe2\x80\x99s policy for specialized security training was not fully developed. In addition,\nthe Department\xe2\x80\x99s specialized security training procedures and the procedures for two of two\nagencies reviewed were not effective, fully developed, or sufficiently detailed. 57 Specifically,\nwe found the Department\xe2\x80\x99s policy for specialized training did not include a definition of\nsignificant information security responsibilities.\n\n\n\n\n56\n   Departmental SOP-CPPO-018, Information Security Awareness Training (April 21, 2011).\n57\n   NIST SP 800-53 requires the organization to provide basic security awareness training to all users. Additionally,\nit requires the organization to identify and provide information system managers, system and network\nadministrators, personnel performing independent verification and validation activities, security control assessors,\nand other personnel having access to system-level software with role-based specialized security training related to\ntheir specific roles and responsibilities. The organization is to determine the appropriate content of security training\nand the specific requirements of the organization and the information systems to which personnel have authorized\naccess.\n\n32       AUDIT REPORT 50501-0004-12\n\x0cIn the FY 2009 FISMA report, OIG recommended that the Department develop training policies\nand procedures for personnel with significant security responsibilities, to include a Departmental\ndefinition of what constitutes significant security responsibilities. The recommendation reached\nmanagement decision but the policy and procedures exceeded the estimated published date of\nSeptember 30, 2011. The Department\xe2\x80\x99s new policy, which includes guidance for specialized\nsecurity awareness training, was officially published on October 22, 2013. 58\n\n6.1.3 Security training content based on the organization and roles, as specified in\norganization policy or standards. - Yes\n\nNo exception noted. OIG reviewed the training content for individuals of the two sampled\nagencies with significant information security responsibilities. All 58 reviewed employees had\ntraining that was documented and was appropriate for role-based training.\n\n6.1.4 Identification and tracking of the status of security awareness training for all\npersonnel (including employees, contractors, and other organization users) with access\nprivileges that require security awareness training. - Yes\n\nNo substantial exception noted. NIST SP 800-53 requires agencies to document and monitor\nindividual information system security training activities and to retain individual training\nrecords. During our review of two agencies, we found 3 of 9755 users (less than 1 percent) with\nlogin privileges without evidence that the users had completed the annual security awareness\ntraining. We consider the Department to have substantially met the requirements.\n\nAlthough these two agencies have substantially met the requirements, there is still an open\nrecommendation. In the FY 2010 FISMA report, OIG recommended that the Department ensure\nits training repository is completely populated and all required personnel receive the training.\nThis recommendation is still open and has exceeded the estimated completion date of August 30,\n2011.\n\n6.1.5 Identification and tracking of the status of specialized training for all personnel\n(including employees, contractors, and other organization users) with significant\ninformation security responsibilities that require specialized training. - Yes\n\nNo substantial exception noted. NIST SP 800-53 requires agencies to provide role-based\ntraining. Agencies are required to document and monitor individual information system security\ntraining activities and to retain individual training records. OIG reviewed the training content for\nindividuals with significant information security responsibilities of the two sampled agencies.\nOur testing of 58 employees with significant security responsibilities found all 58 employees\nfrom the two sampled agencies had adequate role-based training to meet NIST requirements and\nhad documented evidence of specialized training attendance. The contractor review identified\none of eight agencies that had an issue with the identification and tracking of the status of\nspecialized training for all personnel with significant information security responsibilities that\n\n\n58\n     DR 3545-001, Information Security Awareness and Training Policy (October 22, 2013).\n\n                                                                      AUDIT REPORT 50501-0004-12   33\n\x0crequired specialized training. We consider the Department to have substantially met the\nrequirements.\n\n6.1.6 Training material for security awareness training contains appropriate content for\nthe organization (NIST SP 800-50, 800-53). - Yes\n\nNo exception noted. We found that the material for the security awareness training does contain\nthe appropriate content to meet NIST SP 800-53.\n\n6.2 Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s\nSecurity Training Program that was not noted in the questions above.\n\nNo additional information to provide.\n\n\nS7: Plan Of Action & Milestones (POA&M)\n\n7.1 Has the organization established a POA&M program that is consistent with FISMA\nrequirements, OMB policy, and applicable NIST guidelines and tracks and monitors\nknown information security weaknesses? - Yes\n\nBesides the improvement opportunities that may have been identified by the OIG, does the\nprogram include the following attributes?\n\n7.1.1 Documented policies and procedures for managing IT security weaknesses discovered\nduring security control assessments and that require remediation. - No\n\nThe Department\xe2\x80\x99s security manual included a policy establishing a POA&M process for\nreporting IT security deficiencies and for tracking the status of remediation efforts; however, this\ndocument was not finalized until September 25, 2013, and was not in effect as guidance for the\nagencies to follow during FY 2013. We reviewed this document and found it to include all\nrequired elements.\n\nAdditionally, the Department has established procedures. Our review of the POA&M SOP\ndetermined it was updated to include OMB-outlined criteria, 59 and that it reflected the current\nPOA&M process. 60 However, we found one of two agencies reviewed did not have\nestablished POA&M procedures for managing IT security weaknesses discovered during security\ncontrol assessments that required remediation.\n\n7.1.2 Tracks, prioritizes and remediates weaknesses. - No\n\n\n\n59\n   OMB M-04-25, FY 2004 Reporting Instructions for the Federal Information Security Management Act\n(August 23, 2004).\n60\n   Departmental Oversight and Compliance Division SOP-003, Plan of Action and Milestones Management\n (July 2013).\n\n34      AUDIT REPORT 50501-0004-12\n\x0cWe found the Department\xe2\x80\x99s POA&M program tracks weaknesses. However, we identified 42 of\n677 open and approved POA&Ms as of September 25, 2013, that did not have an identified\npriority level. Additional testing by contractors identified one of six agencies did not have a\nPOA&M program that tracks, prioritizes, and remediates weaknesses. The Department uses\nCSAM as the central repository for POA&Ms, which includes tracking weaknesses, identifying\npriority levels, and housing all supporting documentation of remediation. In addition, the\nDepartment holds bi-weekly meetings with each agency to discuss POA&M status and any\noutstanding POA&M issues, in order to continually monitor agency progress.\n\n7.1.3 Ensures remediation plans are effective for correcting weaknesses. - No\n\nOMB 04-25 specifies that effective remediation of IT security weaknesses is essential to achieve\na mature and sound IT security program, and for securing information and systems. It further\nstates that a milestone should identify specific requirements to correct an identified weakness.\nTo test the Department\xe2\x80\x99s remediation effectiveness, we reviewed a statistical sample of 68\nPOA&Ms that were closed during FY 2013, and found 10 were closed without documented\nremediation plans. 61 Based on our sample results, we estimate 128 POA&Ms (15 percent of the\nuniverse) were closed in FY 2013 with remediation actions that did not sufficiently address the\nidentified weaknesses in accordance with Government policies. 62 Additionally, of the POA&M\nclosures reviewed by the Department, 12 of 163 closures were not acceptable, due to insufficient\ndocumentation to support remediation, or closure procedures were not followed.\n\n7.1.4 Establishes and adheres to milestone remediation dates. - No\n\nWe found that 597 of the 2,806 (21 percent) milestones completed in FY 2013 were not\ncompleted by the planned milestone finish date. This is down from 28 percent in FY 2012.\nWe found that milestone dates are being established, but the remediation dates are not always\nadhered to. Additional testing by contractors identified one of six agencies did not have a\nPOA&M program, which establishes and adheres to milestone remediation dates.\n\n7.1.5 Ensures resources and ownership are provided for correcting weaknesses. - No\n\nWe found weaknesses that were not being remediated due to inadequate resources. We\nidentified 261 delayed POA&Ms as of August 28, 2013. We determined 132 of the 261\nPOA&Ms were delayed due to inadequate resources. Additionally, 32 POA&Ms were delayed\nwithout providing an explanation. We also found that ownership was not assigned for 44 of 763\nopen POA&Ms as of August 1, 2013. Additional work by contractors identified one of three\nagencies did not have a POA&M program that ensures resources and ownership are provided for\ncorrecting weaknesses.\n\n\n61\n   We based our sample size on a 25 percent error rate and desired absolute precision of +/-10 percent, at the 95\npercent confidence level. With these assumptions, we calculated a sample size of 68 POA&Ms for review and\nselected them by choosing a simple random sample. Additional sample design information is presented in\nExhibit B.\n62\n   We are 95 percent confident that between 56 (6.4 percent) and 200 (23 percent) of closed POA&Ms in the FY had\nremediation actions that did not sufficiently address the identified weaknesses in accordance with Government\npolicies. Additional sample design information is presented in Exhibit B.\n\n                                                                     AUDIT REPORT 50501-0004-12              35\n\x0c7.1.6 POA&Ms include security weaknesses discovered during assessments of security\ncontrols and that require remediation (do not need to include security weakness due to a\nrisk-based decision to not implement a security control) (OMB M-04-25). - No\n\nOMB requires agencies to prepare POA&Ms for all programs and systems where an IT security\nweakness has been found. The Department\xe2\x80\x99s SOP requires an agency to create a POA&M when\nan identified weakness cannot be remediated within 30 days. However, we found four agencies\nthat were not creating POA&Ms for vulnerabilities that were outstanding for over 30 days.\n\n7.1.7 Costs associated with remediating weaknesses are identified\n(NIST SP 800-53, Rev. 3, Control PM-3 and OMB M-04-25). - Yes\n\nNo exception noted. OMB requires that POA&Ms include the estimated funding resources\nrequired to resolve the weakness. We found 42 of 763 (5.5 percent) POA&Ms that did not have\nassociated costs. The Department has made significant progress since FY 2011 when we found\nthat 38 percent of the POA&Ms did not have associated costs. Therefore we consider the error\nrate in FY 2013 to be insignificant.\n\n7.1.8 Program officials report progress on remediation to CIO on a regular basis, at least\nquarterly, and the CIO centrally tracks, maintains, and independently reviews/validates\nthe POA&M activities at least quarterly (NIST SP 800-53, Rev. 3, Control CA-5;\nOMB M-04-25). - Yes\n\nOIG determined that the Department\xe2\x80\x99s POA&M program has established a process for program\nofficials and contractors to report on remediation progress to the CIO on a regular basis, and\nfor OCIO to track and review POA&Ms at least quarterly. However, there is still room for\nimprovement in the tracking and reviewing of audit POA&Ms. The Department\xe2\x80\x99s SOP requires\nthat all closed POA&Ms resulting from a GAO or OIG audit are subject to the Department\'s\nclosure review process. We identified 11 closed audit POA&Ms that had not been reviewed by\nOCIO.\n\nIn the FY 2011 FISMA report, OIG recommended that the Department actively manage the\nPOA&M process, which includes tracking and reviewing POA&Ms in accordance with its\nrecently issued SOP. The recommendation is open with management decision.\n\n7.2 Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s\nPOA&M Program that was not noted in the questions above.\n\nNo additional information to provide.\n\n\n\n\n36     AUDIT REPORT 50501-0004-12\n\x0cS8: Remote Access Management\n\n8.1 Has the organization established a remote access program that is consistent with\nFISMA requirements, OMB policy, and applicable NIST guidelines? - Yes\n\nBesides the improvement opportunities that may have been identified by the OIG, does the\nprogram include the following attributes?\n\n8.1.1 Documented policies and procedures for authorizing, monitoring, and controlling all\nmethods of remote access (NIST SP 800-53: AC-1, AC-17). - No\n\nAlthough the Department has a remote access policy, our testing found it did not meet all NIST\nrequirements. 63 There were two policy areas that were not addressed in the Departmental policy\nas outlined by NIST. One area was the administration of remote access servers and the other was\nthe periodic reassessment of the telework device policies. Additionally, we found two of\ntwo agencies reviewed did not have a remote access policy or procedures fully developed. This\noccurred because the agencies either had a policy, or procedures, but not both. As a result,\ninadequate security of remote access could result in the unauthorized access, use, disclosure,\ndisruption, modification, or destruction of information.\n\nIn the FY 2010 FISMA report, we recommended the Department develop remote access and\ntelework policy and procedures that fully comply with NIST. The recommendation is still open;\nOCIO has exceeded the estimated completion date of August 31, 2011.\n\n8.1.2 Protects against unauthorized connections or subversion of authorized connections. -\nYes\n\nNo exception noted. We found two of two agencies reviewed had programs protecting against\nunauthorized connections or subversion of authorized connections.\n\n8.1.3 Users are uniquely identified and authenticated for all access\n(NIST SP 800-46, Section 4.2, Section 5.1). - No\n\nWe found one of two agencies reviewed was not using multi-factor authentication (which\nuniquely identifies and authenticates remote users) for remote access as required. This occurred\nbecause while the enterprise solution for two-factor authentication (LincPass) is implemented\nand available, it is not required and therefore not being used Departmentwide (see 8.1.5 below).\nWe also found the telework policy was insufficient (see 8.1.6 below). In addition, one contract\naudit found and one agency self-reported not having two-factor authentication for remote access\nproperly implemented.\n\n\n\n\n63\n     NIST SP 800-46 Rev. 1, Guide to Enterprise Telework and Remote Access Security (June 2009).\n\n                                                                      AUDIT REPORT 50501-0004-12   37\n\x0c8.1.4 Telecommuting policy is fully developed (NIST SP 800-46, Section 5.1). - No\n\nAs reported in item 8.1.1 above, the Department has a remote access (and telework) policy but\nour testing found it did not meet all NIST requirements. It establishes the telework program for\nthe agency and outlines parts of the program like the types of telework agreements, eligibility,\nexclusions, etc. However, the information security section does not provide detailed policy\nguidance for securing the equipment, work products, and software while teleworking.\nSpecifically we found two of two agencies reviewed did not have a fully developed\ntelecommuting policy. This occurred because the agency depended on the Departmental policy,\nwhich had deficiencies.\n\nIn the FY 2010 FISMA report, we recommended that the Department develop a remote access\nand telecommuting policy and procedures that fully comply with NIST. The recommendation is\nstill open and OCIO has exceeded its estimated completion date of August 31, 2011.\n\n8.1.5 If applicable, multi-factor authentication is required for remote access\n(NIST SP 800-46, Section 2.2, Section 3.3). - No\n\nWhile multi-factor authentication for remote access is required by Departmental policy, we\nfound one of two agencies we reviewed did not have it properly implemented. This occurred\nbecause while the enterprise solution for two-factor authentication (LincPass) is implemented\nand available, it is not required and therefore not being used Departmentwide. Also, the\nagencies\xe2\x80\x99 inability to distribute its PIV cards limited staff participation. In addition, one contract\naudit found, and another agency self-reported, not having two-factor authentication for remote\naccess properly implemented.\n\nIn the FY 2010 FISMA report, we recommended the Department complete the Departmental\nprojects that will enforce multi-factor authentication and external media encryption. The\nrecommendation is still open; OCIO has exceeded its estimated completion date of\nSeptember 30, 2011.\n\n8.1.6 Authentication mechanisms meet NIST Special Publication 800-63 guidance on\nremote electronic authentication, including strength mechanisms. - No\n\nIf the Department would require the use of PIV cards for remote access authentication, it would\nsatisfy all the NIST requirements, including strength mechanisms. 64 As reported in item 8.1.5\nabove, we found that while multi-factor authentication for remote access was required by\nDepartmental policy, one of two agencies we reviewed did not properly implement it.\n\n8.1.7 Defines and implements encryption requirements for information transmitted across\npublic networks. - Yes\n\nNo exception noted. We found two of two agencies reviewed had defined and implemented\nencryption requirements for information transmitted across public networks.\n\n\n64\n     NIST SP 800-63, Electronic Authentication Guideline (April 2006).\n\n38         AUDIT REPORT 50501-0004-12\n\x0c8.1.8 Remote access sessions, in accordance with OMB M-07- 16, are timed-out after 30\nminutes of inactivity, after which re-authentication is required. - Yes\n\nNo exception noted. We reviewed two agencies\xe2\x80\x99 remote access session time-out settings and\nfound they were compliant with OMB requirements and timed-out after 30 minutes of\ninactivity and re-authentication was required. 65\n\n8.1.9 Lost or stolen devices are disabled and appropriately reported\n(NIST SP 800-46, Section 4.3, US-CERT Incident Reporting Guidelines). - No\n\nEven though lost and stolen equipment was consistently being processed (wiped and/or\ndisabled), we found 13 of 13 incidents of lost or stolen remote access devices were\nnot appropriately reported within the required timeframe.\n\n8.1.10 Remote access rules of behavior are adequate in accordance with government\npolicies (NIST SP 800-53, PL-4). - Yes\n\nNo exception noted. We reviewed two agencies\xe2\x80\x99 rules of behavior agreements, and found they\nwere in accordance with Government policies.\n\n8.1.11 Remote access user agreements are adequate in accordance with government policies\n(NIST SP 800-46, Section 5.1, NIST SP 800-53, PS-6). - Yes\n\nNo exception noted. We reviewed two agencies\xe2\x80\x99 user access agreements, and found they were in\naccordance with Government policies.\n\n8.2 Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s\nRemote Access Management that was not noted in the questions above.\n\nNo additional information to provide.\n\n8.3 Does the organization have a policy to detect and remove unauthorized (rogue)\nconnections? - No\n\nWhile the Department and agencies were monitoring, detecting, and reporting unauthorized\n(rogue) connections, we found no documented policies requiring it. This occurred because\nthe Departmental Logical and Physical Access Control Policy was still in draft and had not\nbeen issued.\n\n\n\n\n65\n  OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information\n(May 22, 2007).\n\n                                                                   AUDIT REPORT 50501-0004-12             39\n\x0cS9: Contingency Planning\n\n9.1 Has the organization established an enterprise-wide business continuity/disaster\nrecovery program that is consistent with FISMA requirements, OMB policy, and\napplicable NIST guidelines? - Yes\n\nBesides the improvement opportunities that may have been identified by the OIG, does the\nprogram include the following attributes?\n\n9.1.1 Documented business continuity and disaster recovery policy providing the authority\nand guidance necessary to reduce the impact of a disruptive event or disaster\n(NIST SP 800-53: CP-1). - Yes\n\nNo exception noted. NIST SP 800-53 states that the organization develops, disseminates, and\nreviews/updates a formal, documented contingency planning policy. We found that the\nDepartment\xe2\x80\x99s contingency planning policy met these requirements.\n\nIn the FY 2011 FISMA report, OIG recommended that the Department update the contingency\nplan template to adequately address all NIST SP 800-53 requirements. 66 The recommendation\nhas reached final action and the Department issued an updated contingency planning template\nthat meets NIST requirements. 67\n\n9.1.2 The organization has incorporated the results of its system\xe2\x80\x99s Business Impact\nAnalysis (BIA) into the analysis and strategy development efforts for the organization\xe2\x80\x99s\nContinuity of Operations Plan (COOP), Business Continuity Plan (BCP), and Disaster\nRecovery Plan (DRP) (NIST SP 800-34). - No\n\nNIST SP 800-34 states that conducting the BIA is a key element in a comprehensive information\nsystem contingency planning process. 68 The Department\'s guide on developing contingency\nplans requires that a BIA be completed, during the concurrency review, for each system. 69 We\nfound two of two agencies reviewed by OIG did not have a BIA for any of their systems.\n\n9.1.3 Development and documentation of division, component, and IT infrastructure\nrecovery strategies, plans and procedures (NIST SP 800-34). - Yes\n\nNo exception noted. We found that all contingency plans (20 of 20) had addressed the key\ninformation required by NIST 800-34. Both tested agencies used the same outline for all\ncontingency plans.\n\n\n\n\n66\n   USDA Contingency Plan Template (March 2011).\n67\n   USDA Contingency Plan Template (December 2012).\n68\n   NIST SP 800-34, Contingency Planning Guide For Federal Information Systems (May 2010).\n69\n   Department Manual 3570-001, Disaster Recovery and Business Resumption Plans (February 17, 2005).\n\n40      AUDIT REPORT 50501-0004-12\n\x0c9.1.4 Testing of system specific contingency plans. - No\n\nNIST SP 800-53 requires Federal agencies to test and exercise contingency plans for information\nsystems, using organization-defined tests or exercises. This is done to determine the plans\xe2\x80\x99\neffectiveness and the organization\'s readiness to execute the plans and initiate corrective actions.\nWe identified 89 of 243 systems for which USDA system contingency plans had not been tested\nor documentation had not been updated during FY 2013 as required. 70\n\n9.1.5 The documented BCP and DRP are in place and can be implemented when necessary\n(FCD1, NIST SP 800-34). - No\n\nNIST SP 800-53 requires the agency to have formal, documented procedures to facilitate the\nimplementation of its contingency planning policy and associated controls. We found that the\ndocumented business continuity and disaster recovery plans were not in place and cannot be\nimplemented when necessary. For example, 13 of 51 statistically sampled system contingency\nplans did not have evidence of ongoing testing of the plan. 71 Based on our sample results, we\nestimate that 58 systems in our universe (about 26 percent of the universe) did not have evidence\nof ongoing testing. 72\n\n9.1.6 Development of test, training, and exercise (TT&E) programs (FCD1,\nNIST SP 800-34, NIST SP 800-53). - Yes\n\nNo exception noted. NIST SP 800-53 requires Federal agencies to test and exercise contingency\nplans for information systems, using organization-defined tests or exercises. We found that all\n64 of the systems we reviewed had documented training, testing, and exercise programs\nincorporated in their contingency plans.\n\n9.1.7 Testing or exercising of BCP and DRP to determine effectiveness and to maintain\ncurrent plans. - No\n\nNIST SP 800-53 requires Federal agencies to test and exercise contingency plans for information\nsystems, review the contingency plan test/exercise results, and initiate corrective actions. As\nnoted in 9.1.5, we found that there were 13 of 51 systems within our sample of Departmental\nsystems that did not perform testing or provide evidence to show ongoing testing of plans. We\nalso identified 89 of 243 Departmental systems without a testing date during FY 2013 recorded\nin CSAM.\n\n\n\n\n70\n   Systems Inventory as of October 28 2013. USDA Contingency Plan Exercise Handbook, Rev 1.1\n(February 2011).\n71\n   We selected a simple random sample of 51 contingency plans for review. For a 95 percent confidence level, this\nsample size was adequate for a range of potential outcomes: from a 0 percent exception rate with a 5 percent upper\nlimit to a 20 percent error rate with +/-10 percent precision. Additional sample design information is presented in\nExhibit B.\n72\n   We are 95 percent confident that between 33 (15 percent) and 82 systems (37 percent) are non-compliant with this\ncriterion. Additional sample design information is presented in Exhibit B.\n\n                                                                      AUDIT REPORT 50501-0004-12               41\n\x0c9.1.8 After-action report that addresses issues identified during contingency/disaster\nrecovery exercises (FCD1, NIST SP 800-34). - No\n\nNIST SP 800-34 states that all recovery and reconstitution events should be well documented,\nincluding actions taken and problems encountered during recovery and reconstitution efforts. An\nafter-action report with lessons learned should be documented and updated. As stated in 9.1.7,\nour review of 51 sampled systems from the Department found that 13 did not have a record of\ntesting and therefore, no after action report.\n\n9.1.9 Systems that have alternate processing sites (FCD1, NIST SP 800-34,\nNIST SP 800-53). - Yes\n\nNo exception noted. NIST SP 800-53 requires alternate processing sites to be established for\ninformation systems in case of a disaster. We statistically sampled 51 systems and found all of\nthose systems met the requirement to provide an alternate processing site.\n\n9.1.10 Alternate processing sites are not subject to the same risks as primary sites (FCD1,\nNIST SP 800-34, NIST SP 800- 53). - Yes\n\nNo exception noted. We found that 51 of 51 systems from our statistical sample had alternate\nprocessing sites that were not subject to the same risks as the primary site.\n\n9.1.11 Backups of information that are performed in a timely manner (FCD1,\nNIST SP 800-34, NIST SP 800-53). - Yes\n\nNo exception noted. NIST SP 800-53 states that the organization should conduct user-level,\nsystem-level, and information system documentation backups. We found two of two agencies\nreviewed by OIG were performing backups in a timely manner.\n\n9.1.12 Contingency planning that considers supply chain threats. - No\n\nWe found 4 of 51 contingency plans in our statistical sample of Department systems did not\ndocument or consider supply chain threats within the contingency plan. 73 This occurred because\nthe disaster recovery plans had not been completed. Based on our sample results, we estimate\nthat 18 systems in our universe (about 8 percent of the universe) did not have evidence that they\nconsidered their supply chains or vendors. 74\n\n\n\n\n73\n   We selected a simple random sample of 51 contingency plans for review. For a 95 percent confidence level, this\nsample size was adequate for a range of potential outcomes: from a 0 percent exception rate with a 5 percent upper\nlimit to a 20 percent error rate with +/-10 percent precision. Additional sample design information is presented in\nExhibit B.\n74\n   We are 95 percent confident that between 4 (actual number found, 2 percent) and 33 systems (15 percent) are\nnon-compliant with this criterion.\n\n42      AUDIT REPORT 50501-0004-12\n\x0c9.2 Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s\nContingency Planning Program that was not noted in the questions above.\n\nNo additional information to provide.\n\n\nS10: Contractor Systems\n\n10.1 Has the organization established a program to oversee systems operated on its behalf\nby contractors or other entities, including organization systems and services residing in the\ncloud external to the organization? - No\n\nBesides the improvement opportunities that may have been identified by the OIG, does the\nprogram includes the following attributes?\n\n10.1.1 Documented policies and procedures for information security oversight of systems\noperated on the organization\xe2\x80\x99s behalf by contractors or other entities, including\norganization systems and services residing in a public cloud. - No\n\nWe found that the Department has not established a program to oversee systems operated on its\nbehalf by contractors or other entities, including organization systems and services residing in a\ncloud environment external to the organization. We found that the Department does not have\ndocumented policies relating to this topic.\n\nIn the FY 2010 FISMA report, we recommended that the Department develop policy and\nprocedures for information security oversight of systems operated on the agency\xe2\x80\x99s behalf. The\npolicy and procedures should ensure that an accurate inventory of contractor systems and\nmemoranda of understanding/interconnection service agreements are completed periodically.\nThe recommendation is still open and has exceeded the estimated completion date of\nSeptember 15, 2011. OCIO has had a policy in draft for 4 years and has not yet finalized it.\n\n10.1.2 The organization obtains sufficient assurance that security controls of such systems\nand services are effectively implemented and comply with Federal and organization\nguidelines (NIST SP 800-53: CA-2). - No\n\nAs noted in 10.1.3 below, we found operational contractor systems in CSAM that did not have a\ncurrent ATO, interconnections were not sufficiently documented, or did not have a signed SSP.\nBased on these findings, we determined that the Department\xe2\x80\x99s contractor systems program was\nnot ensuring that security controls of contractor systems and services were effectively\nimplemented and complied with organizational guidelines.\n\n\n\n\n                                                             AUDIT REPORT 50501-0004-12         43\n\x0c10.1.3 A complete inventory of systems operated on the organization\xe2\x80\x99s behalf by\ncontractors or other entities, including organization systems and services residing in a\npublic cloud. - No\n\nUSDA\xe2\x80\x99s contractor systems program does not include a complete inventory of systems operated\non the organization\xe2\x80\x99s behalf by contractors or other entities, including organization systems and\nservices residing in a cloud. We found 1 contractor system was not in the Department\xe2\x80\x99s\ninventory, 1 cloud system was incorrectly identified as a non-contractor system, 3 contractor\nsystems had insufficient interconnection documentation, 5 systems had expired ATOs, and 14\nsystems had missing authorizing signatures. We also reviewed a random sample of 40\nnon-contractor systems and found that 4 had insufficient interconnection documentation. Based\non our sample results, we estimate 20 non-contractor systems (10 percent of the universe) had\ninsufficient interconnection documentation. 75\n\nIn the FY 2010 FISMA report, we recommended that OCIO ensure contractor and\nnon-contractor systems inventory and interfaces are accurate and updates are completed at least\nannually. The recommendation is still open; OCIO has exceeded its estimated completion date\nof September 15, 2011.\n\n10.1.4 The inventory identifies interfaces between these systems and organization-operated\nsystems (NIST SP 800-53: PM-5). - No\n\nWe reviewed interconnection documentation for 15 operational and reportable contractor\nsystems in CSAM and found that 3 did not have adequately identified or documented interfaces\nin CSAM.\n\nIn the FY 2012 FISMA report, we recommended that OCIO develop and implement an effective\nprocess for making sure interface connections are documented, and that Interconnections\nSecurity Agreements accurately reflect all connections to the systems. The Department needs to\nreview interfaces during its annual testing processes. The recommendation is still open; OCIO\nhas exceeded its estimated completion date of September 30, 2013.\n\nAs noted in 10.1.3 above, in the FY 2010 FISMA report, we recommended that the Department\nensure contractor and non-contractor systems inventory and interfaces are accurate and updates\nare completed at least annually. The recommendation is still open; OCIO has exceeded its\nestimated completion date of September 15, 2011.\n\nAlso, in the FY 2009 FISMA report, we recommended the Department develop and implement\nan effective process to ensure system interfaces are accounted for in CSAM. The Department\nreached final decision by issuing a CSAM Users Guide and POA&M SOP (CPO-SOP-002).\nBecause these are not policy guidance, we take exception to final action being reached on this\nrecommendation.\n\n\n75\n  We are 95 percent confident that between 3 (1 percent) and 38 (19 percent) non-contractor systems may have\ninsufficient interconnection documentation in CSAM. Additional sample design information is presented in\nExhibit B.\n\n44      AUDIT REPORT 50501-0004-12\n\x0c10.1.5 The organization requires appropriate agreements (e.g., MOUs, Interconnection\nSecurity Agreements, contracts, etc.) for interfaces between these systems and those that it\nowns and operates. - No\n\nThe Department\xe2\x80\x99s contractor systems program was not requiring appropriate agreements\n(e.g., MOUs, Interconnection Security Agreements, contracts, etc.) for interfaces between these\nsystems and those that it owns and operates. As noted in 10.1.4 above, we found three contractor\nsystems that did not have adequately identified or documented interfaces in CSAM.\n\n10.1.6 The inventory of contractor systems is updated at least annually. - No\n\nWe found that inventory reconciliation had not been performed for over 4 years and the\nDepartment did not have documented policies and procedures for oversight of contractor\nsystems.\n\nAs noted in 10.1.3 above, in the FY 2010 FISMA report, we recommended that OCIO ensure\ncontractor and non-contractor systems\xe2\x80\x99 inventory and interfaces are accurate and updates are\ncompleted at least annually. The recommendation is still open; OCIO has exceeded its estimated\ncompletion date of September 15, 2011.\n\n10.1.7 Systems that are owned or operated by contractors or entities, including\norganization systems and services residing in a public cloud, are compliant with FISMA\nrequirements, OMB policy, and applicable NIST guidelines. - No\n\nWe found 5 contractor systems with expired ATOs, 3 contractor systems with missing\ninterconnection agreements, and 14 contractor systems with missing SSP signatures. We also\nfound a cloud system that was not included in the Department\'s inventory and another that was\nnot identified as a contractor system.\n\n10.2 Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s\nContractor Systems Program that was not noted in the questions above.\n\nNo additional information to provide.\n\n\nS11: Security Capital Planning\n\n11.1 Has the organization established a security capital planning and investment program\nfor information security? - Yes\n\nBesides the improvement opportunities that may have been identified by the OIG, does the\nprogram include the following attributes?\n\n\n\n\n                                                           AUDIT REPORT 50501-0004-12       45\n\x0c11.1.1 Documented policies and procedures to address information security in the capital\nplanning and investment control (CPIC) process. - Yes\n\nNo exception noted. In response to our FY 2011 audit recommendation, OCIO issued a new\npolicy on May 29, 2013 updating the definition of a major IT investment.\n\n11.1.2 Includes information security requirements as part of the capital planning and\ninvestment process. - No\n\nWe reviewed the Exhibit 53B documentation submitted by USDA and four selected agencies as\npart of the annual budgeting process. Our testing determined USDA\xe2\x80\x99s security capital planning\nand investment program includes information security requirements as part of the capital\nplanning and investment process; however, detailed testing determined all four of the reviewed\nagencies could not provide adequate supporting documentation for the amounts submitted on its\nannual Exhibit 53B. This occurred because the agencies were unaware of the need to retain\nadequate supporting documentation used during the budgeting process. As a result, USDA lacks\njustification for the IT security costs portion in its budgetary request. 76\n\n11.1.3 Establishes a discrete line item for information security in organizational\nprogramming and documentation (NIST SP 800-53: SA-2). - No\n\nWe reviewed the Exhibit 53B documentation submitted by USDA and four selected agencies as\npart of the annual budgeting process. However, as noted in 11.1.2, detailed testing determined\nfour of the four agencies selected could not provide adequate supporting documentation for the\namounts submitted on their annual Exhibit 53B, therefore a discrete line item for information and\nsecurity in organizational programming and documentation could not be supported.\n\n11.1.4 Employs a business case/Exhibit 300/Exhibit 53 to record the information security\nresources required (NIST SP 800-53: PM-3). - No\n\nWe reviewed a sample of Exhibit 300 documents submitted by agencies within USDA to verify\nthat the Exhibit 300 included OMB required supporting documentation. 77 Our testing\ndetermined that USDA does not consistently employ business cases across Exhibit 300s based on\nthe absence of required documentation for 4 of the 11 Exhibit 300s reviewed. As a result, the\nMajor IT investments within USDA lack the required supporting documentation that outlines the\ninvestment\xe2\x80\x99s planning, funding, and implementation progress through the project life cycle. This\noccurred because OCIO\xe2\x80\x99s Capital Planning Division (CPD) did not require all supporting\ndocumentation to be submitted.\n\nIn addition, our testing identified an IT investment that was not considered major by the\nDepartment upon its inception on April 30, 2010. Based on the definition of a major investment\n\n76\n   Agencies must provide IT Investment information using the Agency IT Investment Portfolio (Exhibits 53A&B),\nGuidance on Exhibit 53 \xe2\x80\x93 Information Technology and E-Government, OMB (2011).\n77\n   Exhibit 300 establishes policy for planning, budgeting, acquisition, and management of major IT capital\ninvestments. OMB, Guidance on Exhibit 300 \xe2\x80\x93 Planning, Budgeting, Acquisition, and Management of IT Capital\nAssets (2011).\n\n46      AUDIT REPORT 50501-0004-12\n\x0cby OMB as "a system or acquisition requiring special management attention because of\nits importance to the mission or function of the agency, a component of the agency, or\nanother organization;" we believe the investment should have been considered a major IT\ninvestment in 2010. This is based upon the investment\xe2\x80\x99s function, which provides cloud-based\nemail support to USDA, and is a critical function within the Department. The Department\ncategorized the investment as major in FY 2013 for the FY 2015 budget cycle; however, by not\nclassifying it as a major investment in 2010, the Department did not record and report the\ninformation security resources required for the investment during the annual budgeting process\nfor the previous three years.\n\n11.1.5 Ensures that information security resources are available for expenditure as\nplanned. - No\n\nWe reviewed the Exhibit 53B documentation submitted by USDA and the four selected agencies\nas part of the annual budgeting process. Our testing determined that the Exhibit 53B was\nprepared and submitted; however, as noted in 11.1.2, the agencies could not provide\ndocumentation that supported the amounts included on the Exhibit 53B. We determined the\nagencies did not adequately plan when expending IT resources based on the Exhibit 53B because\nsupporting documentation for the amounts was not maintained. This occurred because CPD did\nnot require the submission of all supporting documentation. As a result, USDA lacks\njustification for the IT security costs portion of its budgetary request.\n\n11.2 Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s\nSecurity Capital Planning Program that was not noted in the questions above.\n\nNo additional information to provide.\n\n\n\n\n                                                          AUDIT REPORT 50501-0004-12        47\n\x0cExhibit B: Sampling Methodology and Projections\n\nObjective:\nThis sample was designed to support OIG audit number 50501-0004-12. The objective of this\naudit was to evaluate the status of USDA\xe2\x80\x99s overall IT security program based on the following\noverarching criteria:\n\n     \xe2\x80\xa2   Effectiveness of the Department\xe2\x80\x99s oversight of agencies\xe2\x80\x99 CIOs, and compliance with\n         FISMA;\n     \xe2\x80\xa2   Agencies\xe2\x80\x99 system of internal controls over IT assets;\n     \xe2\x80\xa2   Department\xe2\x80\x99s progress in establishing a Departmentwide security program, which\n         includes effective assessments and authorizations;\n     \xe2\x80\xa2   Agencies\xe2\x80\x99 and Department\xe2\x80\x99s POA&M consolidation and reporting process; and\n     \xe2\x80\xa2   Effectiveness of controls over configuration management, incident response, IT training,\n         remote access management, identity and access management, continuous monitoring,\n         contingency planning, contractor systems, and capital planning.\n\nFISMA Audit Universes and Sample Designs:\nFISMA contains multiple areas pertaining to various areas of IT security. We incorporated\nstatistical sampling in four FISMA areas. Each of those areas was represented by a different\nuniverse. The specific design is summarized below for each of the four audit areas.\n\n1. Incident Response and Reporting\n\nUniverse:\nThe audit universe consisted of 2,050 incidents reported for FY 2013, as of July 15, 2013. Each\nincident had a unique identifier (incident number) and was categorized based on incident type\ninto one of nine categories. We wanted to ensure that at least one incident of each type was\nselected in our sample for review. One of the incident categories\xe2\x80\x94CAT2\xe2\x80\x94contained only three\nincidents. To make sure that that incident type would get selected for review, we separated it\ninto a census stratum of its own. We called that our stratum 1. Stratum 2 consisted of all other\ntypes of incidents\xe2\x80\x94a total of 2,047.\n\nSample Design:\nEach incident category has specific procedures and timelines that must be met by OCIO and the\nagency. While standards differ among the categories, the standards fall into four common\ngroups: checklist requirements, reporting requirements, timely resolution, and damage\ncontainment. Thus, each incident response can be assessed as \xe2\x80\x9cpass\xe2\x80\x9d or \xe2\x80\x9cfail\xe2\x80\x9d when compared to\nthe criteria that apply specifically to that incident type. This allowed us to combine incident\nresponse performance results (pass or fail) for the mix of incident types.\n\nStratum 1 was a census stratum consisting of the 3 CAT2 incidents.\n\nFrom stratum 2, which consisted of 2,047 incidents, we selected a simple random sample of 89\nincidents for review. The sample size was calculated based on the following factors:\n\n48       AUDIT REPORT 50501-0004-12\n\x0c     -   A desired 95 percent confidence level;\n     -   A desired +/-10 percent precision in an attribute testing scenario;\n     -   A universe size of 2,047 units;\n     -   An expected error rate of 40 percent, based on historical information.\n\nA listing and counts of incidents within the different categories in our universe and sample are\npresented in Table 1.\n\nTable 1: Sample design summary for Incident Response and Reporting\n                                                                                  Number Number\n                                                                                     of        of\n                                      Incident type                              incidents incidents\n                                                                                   in the    in the\n                                                                                 universe sample\n Stratum     CAT2 incidents - census                                         3                        3\n     1                                         Total for this stratum 3        3\n             USCERT CAT0 - Exercise/Network Defense Testing Count          150                       7\n             USCERT CAT1 - Unauthorized Access Count                        32                       1\n             USCERT CAT3 - Malicious Code Count                            798                      29\n             USCERT CAT4 - Improper Usage Count                             83                       6\n Stratum     USCERT CAT5 - Scans/Probes/Attempted Access Count              19                       1\n     2       USCERT CAT6 - Investigation Count                             455                      17\n             USDA CAT8 (USCERT CAT1) - Loss, Theft, Missing Count          242                      13\n             USDA CAT9 - Block List Count                                  268                      15\n                                               Total for this stratum 2047     89\n                                                         Grand Total 2050      92\n\nResults:\nResults are projected to the audit universe of 2,050 incidents. Achieved precision, relative to the\nuniverse, is reflected by the confidence interval for a 95 percent confidence level. All\nprojections are made using the normal approximation to the binomial as reflected in standard\nequations for a stratified sample. 78\n\nThe audit team tested a variety of criteria: whether or not the required personally identifiable\ninformation checklist was completed; whether or not the incidents were reported to US-CERT\nwithin the required timeframe; whether or not the proper checklist was completed, and if not,\nwas still accepted by IMD; whether or not the completed incident identification form was\ncompleted in its entirety; whether or not the required incident category checklist was completed;\nand if incidents were open for over 30 days without a POA&M being created. 79\n\n\n78\n  Scheaffer, Mendenhall, Ott, Elementary Survey Sampling, Fourth Edition (Chapter 5), Duxbury Press, c1990.\n79\n  Personally identifiable information is defined as any information which can be used to distinguish or trace an\nindividual\xe2\x80\x99s identity, such as name, social security number, date and place of birth, mother\xe2\x80\x99s maiden name,\nbiometric records, etc., including any other personal information that is linked or linkable to the individual.\n\n                                                                       AUDIT REPORT 50501-0004-12                  49\n\x0cWe developed a projection for whether or not incidents were reported to US-CERT within the\nrequested timeframe, and an overall projection, which is based on the number of incidents found\nin our sample with at least one exception. We are reporting actual findings for the rest of the\ncriteria tested.\n\nProjections are shown in Table 2. The narrative interpretation of the results is presented below\nthe table.\n\nTable 2: Incident Response and Reporting Projections\n                                                                         95%\n                                                                      Confidence\n                                                                       Interval\n                                                                                      Coefficient\n                                                        Standard                           of        Achieved\n                                                                                                              80\n  Estimate description for tested criteria   Estimate     Error     Lower    Upper     Variation    Precision\n Estimated number of incidents not                460      89.079     283      637       .194           9%\n reported to US-CERT within the\n required timeframe\n     as a % of universe                          22%          4%      14%      31%\n Estimated total number of incidents             530       93.426     344       716      .176           9%\n with at least one exception\n     as a % of universe                          26%          5%      17%      35%\n\n\nBased on our sample results:\n   \xe2\x80\xa2 We estimate that 460 incidents (about 22 percent of the audit universe) were not reported\n       to US-CERT within the required timeframe. We are 95 percent confident that between\n       283 (14 percent) and 637 (31 percent) incidents in the audit universe are non-compliant\n       with this criterion.\n   \xe2\x80\xa2 We estimate that 530 incidents (about 26 percent of the audit universe) had at least one\n       exception in the tested criteria. We are 95 percent confident that between 344\n       (17 percent) and 716 (35 percent) incidents in the audit universe were not handled in\n       accordance with departmental procedures.\n\n2. POA&Ms\n\n         POA&Ms (closed)\n\nUniverse:\nThe universe consisted of 869 POA&Ms.\n\nSample Design:\nWe selected a simple random sample of 68 closed POA&Ms for review. We based our sample\nsize on the following factors:\n    - A desired 95 percent confidence level;\n    - A desired +/-10 percent precision in an attribute testing scenario;\n\n80\n  Achieved precision is the difference between the estimate and the bounds divided by the size of the universe. For\nexample: (637- 460)/2050 = 9 percent (rounded to the nearest whole number).\n\n50       AUDIT REPORT 50501-0004-12\n\x0c       -    A universe size of 869 units;\n       -    An expected error rate of 25 percent, based on historical information.\n\nResults:\nResults for all criteria are projected to the audit universe of 869 closed POA&Ms. Achieved\nprecision relative to the audit universe is reported for each criterion. The corresponding lower\nand upper bounds of the 95 percent confidence interval are also included. All projections are\nmade using the normal approximation to the binomial as reflected in standard equations for a\nsimple random sample. 81\n\nProjections are shown in Table 3 below. The narrative interpretation of the results can be found\nbelow the table.\n\nTable 3: POA&M (closed) Projections\n                                                                   95% Confidence\n Estimate description for tested criteria               Standard\n                                                                      Interval\n                                                                                     Coefficient    Achieved\n                                             Estimate     Error    Lower    Upper    of Variation   Precision\n Estimated number of closed POA&Ms                128     36.099       56      200       .282         8%\n reviewed that did not have effective\n remediation plans detailed in CSAM to\n correct the identified weakness.\n\n       as a % of the universe                   15%          4%       6%      23%\n\nBased on our sample results, we estimate that 128 POA&Ms in our universe (about 15 percent of\nthe universe) did not have effective remediation plans detailed in CSAM to correct identified\nweakness. We are 95 percent confident that between 56 (6 percent) and 200 (23 percent)\nPOA&Ms in the audit universe are non-compliant with this criterion.\n\n3. System / Contingency Planning\n\nUniverse:\nOur universe consisted of 220 FISMA reportable systems for a variety of agencies reviewed as\nof July 17, 2013. Each system is to have a contingency plan that contains very specific recovery\ninformation in the event of a disaster.\n\nSample Design:\nWe wanted to ensure that at least one contingency plan per agency chosen for FISMA review\nwas selected in our sample for review. All agencies, except one, contained at least 19 incidents\nin our universe. It contained only two incidents. Hence, we separated one agency into a census\nstratum of its own, which we call stratum 1. Stratum 2 contained all other incidents \xe2\x80\x93 a total of\n218. In stratum 2, we selected a simple random sample of 49 contingency plans for review. Our\nsample size was based on the following factors:\n    - A desired 95 percent confidence level;\n    - A desired +/-10 percent precision in an attribute testing scenario;\n\n\n81\n     Op. cit., Scheaffer et al. Chapter 4.\n\n                                                                   AUDIT REPORT 50501-0004-12            51\n\x0c       -     A universe size of 218 units;\n       -     An expected error rate of 20 percent, based on historical information.\n\nResults:\nThe audit team reviewed the 51 system contingency plans selected in the sample. Results are\nprojected to the audit universe of 220 systems. Achieved precision relative to the universe is\nreported for each criterion. The corresponding lower and upper bounds of the 95 percent\nconfidence interval are also included. For one criterion, the lower bound was lower than the\nnumber of exceptions observed in the sample. All projections are made using the normal\napproximation to the binomial as reflected in standard equations for a simple random sample. 82\n\nProjections are shown in Table 4. The narrative interpretation of the results can be found below\nthe table.\n\nTable 4: System / Contingency Planning Projections\n\n                                                                         95% Confidence\n     Description of estimate for tested criteria                                           Coefficient\n                                                                            Interval\n                                                              Standard                          of       Achieved\n                                                   Estimate     Error    Lower    Upper     Variation    Precision\n Number of systems that did not have ongoing             58     12.231       33       82      .211         11%\n testing or did not provide documentation of\n testing\n        as a % of universe                            26%          6%      15%      37%\n Number of contingency plans that did not               18       7.586       4*       33      .426         7%\n have evidence that they considered their\n supply chains or vendors\n        as a % of universe                              8%         3%       2%      15%\n\n* Actual number found. Statistical lower bound = 3.\n\nBased on our sample results:\n   \xe2\x80\xa2 We estimate that 58 systems in our universe (about 26 percent of the universe) did not\n       have ongoing testing or did not provide documentation of testing. We are 95 percent\n       confident that between 33 (15 percent) and 82 systems (37 percent) are non-compliant\n       with this criterion.\n   \xe2\x80\xa2 We estimate that 18 systems in our universe (about 8 percent of the universe) did not\n       have evidence that they considered their supply chains or vendors. We are 95 percent\n       confident that between 4 (actual number found, 2 percent) and 33 systems (15 percent)\n       are non-compliant with this criterion.\n\nIn addition to the criteria above, the audit team tested and found the following:\n    \xe2\x80\xa2 51 of 51 agency contingency plans incorporated test, training, and exercise programs into\n        their plans. All the systems in our sample were compliant with the requirement. Based\n        on this sample result, we are 95percent confident that non-compliance in this criterion\n        does not exceed 5 percent.\n\n82\n     Ibid.\n\n52           AUDIT REPORT 50501-0004-12\n\x0c   \xe2\x80\xa2   We found 51 of 51 agency contingency plans included an alternate processing site. All\n       were compliant. Based on this sample result, we are 95 percent confident that non-\n       compliance in this criterion does not exceed 5 percent.\n   \xe2\x80\xa2   We found 51 of 51 alternate processing sites were not subject to the same risks as the\n       primary site. All were compliant. Based on this sample result, we are 95 percent\n       confident that non-compliance in this criterion does not exceed 5 percent.\n\n4. CSAM for non-contractor systems\n\nUniverse:\nOur universe consisted of 201 operational, FISMA-reportable, non-contractor systems. We\nexcluded OIG and the two sample agencies from our universe and sample because they were\nchosen as sample agencies for our FY 2013 FISMA review, so their systems were already under\nreview.\n\nSample Design:\nWe selected a simple random sample of 40 systems for review. The audit team expected to find\nvery few errors. We based the sample size on an expected error rate of 15 percent and a desired\nprecision of +/-10 percent at the 95 percent confidence level.\n\nResults:\nOur audit team reviewed all 40 systems selected in the sample and found none that were\nmisidentified. Based on this result, we are 95 percent confident that the percentage of systems\nthat are misidentified does not exceed 6.5 percent of all the systems in our audit universe.\n\nAuditors reviewed documentation and found 4 non-contractor systems with insufficient\ninterconnection documentation. Based on this sample result, we project that 20 systems in the\nuniverse of 201 have this issue. We are 95 percent confident that between 3 and 38 CSAM\nsystems may have insufficient documentation. Table 5 shows the parameters for this projection.\n\nTable 5: CSAM for non-contractor systems projections\n    Description of\n                                                 95% Confidence Interval\n  estimate for tested               Standard                                 Coefficient    Achieved\n         criteria       Estimate      Error       Lower         Upper        of Variation   Precision\nEstimated number of            20        8.642            3             38       .430          9%\nsystems with\ninsufficient\ninterconnection\ndocumentation\n\n  as a % of universe         10%          4%            1%           19%\n\n\n\n\n                                                               AUDIT REPORT 50501-0004-12               53\n\x0cTo learn more about OIG, visit our website at\nwww.usda.gov/oig/index.htm\nHow To Report Suspected Wrongdoing in USDA Programs\n\nFraud, Waste and Abuse\ne-mail: USDA.HOTLINE@oig.usda.gov\nphone: 800-424-9121\nfax: 202-690-2474\n\nBribes or Gratuities\n202-720-7257 (24 hours a day)\n\n\n\n\nThe U.S. Department of Agriculture (USDA) prohibits discrimination in all of its programs and activities on\nthe basis of race, color, national origin, age, disability, and where applicable, sex (including gender identity\nand expression), marital status, familial status, parental status, religion, sexual orientation, political beliefs,\ngenetic information, reprisal, or because all or part of an individual\xe2\x80\x99s income is derived from any public\nassistance program. (Not all prohibited bases apply to all programs.) Persons with disabilities who require\nalternative means for communication of program information (Braille, large print, audiotape, etc.) should\ncontact USDA\xe2\x80\x99s TARGET Center at (202) 720-2600 (voice and TDD).\n\nTo file a complaint of discrimination, write to USDA, Assistant Secretary for Civil Rights, Office of the\nAssistant Secretary for Civil Rights, 1400 Independence Avenue, S.W., Stop 9410, Washington, DC 20250\xc2\xad\n9410, or call toll-free at (866) 632-9992 (English) or (800) 877-8339 (TDD) or (866) 377-8642 (English\nFederal-relay) or (800) 845-6136 (Spanish Federal relay).USDA is an equal opportunity provider and employer.\n\x0c'